“there are 10 kinds of people, those who understand binary and those who don’t….”
In this post I will try to explain how to compute complex access-lists. Say we had the following ip-addresses and we needed to make an access-list for it with as little rules as possible that would only match the ip-addresses specified.
| 10.10.168.0 |
| 10.10.170.0 |
| 10.10.172.0 |
| 10.10.174.0 |
| 10.10.176.0 |
| 10.10.178.0 |
First let’s write the third octet out in binary :
| 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | |
| 168 | 1 | 0 | 1 | 0 | 1 | 0 | 0 | 0 |
| 170 | 1 | 0 | 1 | 0 | 1 | 1 | 0 | 0 |
| 172 | 1 | 0 | 1 | 0 | 1 | 1 | 0 | 0 |
| 174 | 1 | 0 | 1 | 0 | 1 | 1 | 1 | 0 |
| 176 | 1 | 0 | 1 | 1 | 0 | 0 | 0 | 0 |
| 178 | 1 | 0 | 1 | 1 | 0 | 0 | 1 | 0 |
As you can see there are 4 bits of difference between these ip-addresses, the 16-bit, 8-bit, 4-bit and 2-bit are different. So a valid wildcard-mask for these ip-addresses would be 0.0.30.0 (16+8+4+2). The only problem when using this mask would be that some other ip-address would be allowed as well (2^4 = 16 ip-addresses).
All of these ip-addresses would be allowed :
| 10.10.160.0 |
| 10.10.162.0 |
| 10.10.164.0 |
| 10.10.166.0 |
| 10.10.168.0 |
| 10.10.170.0 |
| 10.10.172.0 |
| 10.10.174.0 |
| 10.10.176.0 |
| 10.10.178.0 |
| 10.10.180.0 |
| 10.10.182.0 |
| 10.10.184.0 |
| 10.10.186.0 |
| 10.10.188.0 |
| 10.10.190.0 |
Instead of using this wildcard mask we could also create an access-list with two lines, we would just cut the ip-range in two and make two wildcard masks :
| 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | |
| 168 | 1 | 0 | 1 | 0 | 1 | 0 | 0 | 0 |
| 170 | 1 | 0 | 1 | 0 | 1 | 1 | 0 | 0 |
| 172 | 1 | 0 | 1 | 0 | 1 | 1 | 0 | 0 |
| 174 | 1 | 0 | 1 | 0 | 1 | 1 | 1 | 0 |
| 176 | 1 | 0 | 1 | 1 | 0 | 0 | 0 | 0 |
| 178 | 1 | 0 | 1 | 1 | 0 | 0 | 1 | 0 |
So for the ip-addresses 10.10.168.0, 10.10.170.0, 10.10.172.0 and 10.10.10174 only the 4-bit and the 2-bit field differ. This would make a wildcard of 0.0.6.0 (since 4 + 2 = 6).
And for ip-addresses 10.10.176.0 and 10.10.178.0 only the 2-bit field differs, so this would make a wildcard mask of 0.0.2.0
The access-list therefore would look like :
access-list 1 permit 10.10.168.0 0.0.6.0
access-list 1 permit 10.10.176.0 0.0.2.0
Buy:Aricept.Acomplia.Zocor.Female Pink Viagra.Nymphomax.Wellbutrin SR.Lipitor.Amoxicillin.Lasix.Ventolin.Lipothin.SleepWell.Prozac.Advair.Benicar.Female Cialis.Cozaar.Seroquel.Zetia.Buspar….
Buy:Synthroid.Lumigan.Valtrex.100% Pure Okinawan Coral Calcium.Actos.Prevacid.Prednisolone.Nexium.Accutane.Human Growth Hormone.Zyban.Arimidex.Petcam (Metacam) Oral Suspension.Mega Hoodia.Retin-A.Zovirax….