Dec
26

Access-list address and wildcard pair calculations are based
around the AND and XOR logic gates.

AND: The output is high only when both inputs A and B are high.

A AND B
______________
| A | B | out |
| 0 | 0 | 0 |
| 0 | 1 | 0 |
| 1 | 0 | 0 |
| 1 | 1 | 1 |
--------------

XOR: The output is high when either of inputs A or B is high, but not if
both A and B are high.

A XOR B
______________
| A | B | out |
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
--------------

To find the most specific address and wildcard pair that will
match two addresses, A and B, we use the gates AND and XOR. The address
we will check in the access-list is A AND B. The wildcard used to check
in this list will be A XOR B.

access-list 1 permit [address_to_check] [wildcard_used_to_check]

Take the following example:

We have two IP addresses, 10.20.30.40, and 40.30.20.10. How do we
create an access-list that is the most specific match for these two
addresses? First, write both addresses out in binary:

10.20.30.40 = 00001010.00010100.00011110.00101000
40.30.20.10 = 00101000.00011110.00010100.00001010

To find the address_to_check, take the logical AND of these addresses.

   00001010.00010100.00011110.00101000
&& 00101000.00011110.00010100.00001010
--------------------------------------
00001000.00010100.00010100.00001000

This is our address_to_check: 8.20.20.8

To find the matching wildcard_used_to_check, we take the logical XOR of
these addresses.

    00001010.00010100.00011110.00101000
XOR 00101000.00011110.00010100.00001010
---------------------------------------
00100010.00001010.00001010.00100010

This is our wildcard_used_to_check: 34.10.10.34

Therefore, the most specific match for both 10.20.30.40 and 40.30.20.10
would be:

access-list 1 permit 8.20.20.8 34.10.10.34

Here's one more:

A = 1.2.3.4
B = 5.6.7.8

1.2.3.4 = 00000001.00000010.00000011.00000100
5.6.7.8 = 00000101.00000110.00000111.00001000

A && B = 00000001.00000010.00000011.00000000
A XOR B = 00000100.00000100.00000100.00001100

Therefore the access-list would read:

access-list 1 permit 1.2.3.0 4.4.4.12
Brian McGahan, CCIE #8593, CCDE #2013::13
About Brian McGahan, CCIE #8593, CCDE #2013::13

At the age of 20, Brian McGahan earned his first CCIE in Routing & Switching, and became known as the “youngest engineer in the world.” He continued on to earn CCIE certifications in Security, Service Provider, and Data Center. Brian has developed and taught for INE since 2002, setting the bar for CCIE training and helping thousands of engineers obtain their own certifications--we’re proud to have such an accomplished and driven instructor on the INE team. When he is not developing new products for INE, he consults with large ISPs and enterprise customers. You may contact Brian McGahan at bmcgahan@ine.com or find him helping others in INE’s IEOC Community Forum.

Subscribe to INE Blog Updates

New Blog Posts!