“there are 10 kinds of people, those who understand binary and those who don’t….”

In this post I will try to explain how to compute complex access-lists. Say we had the following ip-addresses and we needed to make an access-list for it with as little rules as possible that would only match the ip-addresses specified.

First let’s write the third octet out in binary :

As you can see there are 4 bits of difference between these ip-addresses, the 16-bit, 8-bit, 4-bit and 2-bit are different. So a valid wildcard-mask for these ip-addresses would be 0.0.30.0 (16+8+4+2). The only problem when using this mask would be that some other ip-address would be allowed as well (2^4 = 16 ip-addresses).

All of these ip-addresses would be allowed :

Instead of using this wildcard mask we could also create an access-list with two lines, we would just cut the ip-range in two and make two wildcard masks :

So for the ip-addresses 10.10.168.0, 10.10.170.0, 10.10.172.0 and 10.10.10174 only the 4-bit and the 2-bit field differ. This would make a wildcard of 0.0.6.0 (since 4 + 2 = 6).

And for ip-addresses 10.10.176.0 and 10.10.178.0 only the 2-bit field differs, so this would make a wildcard mask of 0.0.2.0

The access-list therefore would look like :

access-list 1 permit 10.10.168.0 0.0.6.0
access-list 1 permit 10.10.176.0 0.0.2.0