Solved: How to calculate the wildcard mask in ACL

mmozanen · ‎08-17-2007

Dears,

I know it may look a very bacis question, but frankly I searched the net, books & asked many friends and no one could help.

I want to create one or two access list to hit the following ip prefix.

192.168.2.0

192.168.6.0

192.168.11.0

192.168.15.0

192.168.18.0

may you kindly explain it for me by binary calculation.

regards

Richard Burts · ‎08-17-2007

I think that your question is asking about ways to have a single line in the ACL match more than one address so that with one or two lines of ACL you could match these 5 addresses. The way to start that is to figure what these addresses have in common. they all have 192.168 in the first two octets and 0 in the last octet. So the third octet is where there is any variation. So we need to start with the value of the third octet in binary:

2 is 00000010

6 is 00000110

11 is 00001011

15 is 00001111

18 is 00010010

If you look at the binary and see which numbers have most bits in common we see that 2 and 6 have 7 of 8 bits in common and could be grouped together. We see that 11 and 15 have 7 of 8 bits in common and could be grouped together.

So to group 2 and six we want a mask that says that bit positions 1, 2, 3, 4, 5, 7, and 8 must match and bit position 6 does not. The mask with 0 in 1, 2, 3, 4, 5, 7, and 8 is 00000100 (decimal 4). And to group 11 and 15 we also need bits 1, 2, 3, 4, 5, 7, and 8 to match so we would use that mask again 00000100.

There is not a way to combine 18 very well with the other addresses. So an ACL would need 3 statements to match these 5 addresses.

permit 192.168.2.0 0.0.4.0

permit 192.168.11.0 0.0.4.0

permit 192.168.18.0 0.0.0.0

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎08-17-2007

I think that your question is asking about ways to have a single line in the ACL match more than one address so that with one or two lines of ACL you could match these 5 addresses. The way to start that is to figure what these addresses have in common. they all have 192.168 in the first two octets and 0 in the last octet. So the third octet is where there is any variation. So we need to start with the value of the third octet in binary:

2 is 00000010

6 is 00000110

11 is 00001011

15 is 00001111

18 is 00010010

If you look at the binary and see which numbers have most bits in common we see that 2 and 6 have 7 of 8 bits in common and could be grouped together. We see that 11 and 15 have 7 of 8 bits in common and could be grouped together.

So to group 2 and six we want a mask that says that bit positions 1, 2, 3, 4, 5, 7, and 8 must match and bit position 6 does not. The mask with 0 in 1, 2, 3, 4, 5, 7, and 8 is 00000100 (decimal 4). And to group 11 and 15 we also need bits 1, 2, 3, 4, 5, 7, and 8 to match so we would use that mask again 00000100.

There is not a way to combine 18 very well with the other addresses. So an ACL would need 3 statements to match these 5 addresses.

permit 192.168.2.0 0.0.4.0

permit 192.168.11.0 0.0.4.0

permit 192.168.18.0 0.0.0.0

HTH

Rick

HTH

Rick

mmozanen · ‎08-17-2007

Dear Rick,

Thnak you very very much for the fast response and also for the datailed explanation. I tried it with other combination and it works well.

regards.

Moe

Richard Burts · ‎08-17-2007

Moe

I am glad that my explanation helped you to understand this better. Thanks for using the rating system to indicate that your question was resolved (and thanks for the rating). The forum is a very good place to learn concepts like the masking of access lists. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick