blog
    How do I compute complex ...
    26 December 07

    How do I compute complex wildcard masks for access-lists?

    Posted byBrian McGahan
    facebooktwitterlinkedin
    news-featured

    Access-list address and wildcard pair calculations are based
    around the AND and XOR logic gates.

    AND: The output is high only when both inputs A and B are high.

    A AND B
    
______________
    
| A | B | out |
    
| 0 | 0 |  0  |
    
| 0 | 1 |  0  |
    
| 1 | 0 |  0  |
    
| 1 | 1 |  1  |
    
--------------

    XOR: The output is high when either of inputs A or B is high, but not if
    both A and B are high.

    A XOR B
    
______________
    
| A | B | out |
    
| 0 | 0 |  0  |
    
| 0 | 1 |  1  |
    
| 1 | 0 |  1  |
    
| 1 | 1 |  0  |
    
--------------

    To find the most specific address and wildcard pair that will
    match two addresses, A and B, we use the gates AND and XOR. The address
    we will check in the access-list is A AND B. The wildcard used to check
    in this list will be A XOR B.

    access-list 1 permit [address_to_check] [wildcard_used_to_check]

    Take the following example:

    We have two IP addresses, 10.20.30.40, and 40.30.20.10. How do we
    create an access-list that is the most specific match for these two
    addresses? First, write both addresses out in binary:

    10.20.30.40 = 00001010.00010100.00011110.00101000
    
40.30.20.10 = 00101000.00011110.00010100.00001010

    To find the address_to_check, take the logical AND of these addresses.

       00001010.00010100.00011110.00101000
    
&& 00101000.00011110.00010100.00001010
    
--------------------------------------
    
   00001000.00010100.00010100.00001000

    This is our address_to_check: 8.20.20.8

    To find the matching wildcard_used_to_check, we take the logical XOR of
    these addresses.

        00001010.00010100.00011110.00101000
    
XOR 00101000.00011110.00010100.00001010
    
---------------------------------------
    
    00100010.00001010.00001010.00100010

    This is our wildcard_used_to_check: 34.10.10.34

    Therefore, the most specific match for both 10.20.30.40 and 40.30.20.10
    would be:

    access-list 1 permit 8.20.20.8 34.10.10.34

    Here's one more:

    A = 1.2.3.4
    B = 5.6.7.8

    1.2.3.4 = 00000001.00000010.00000011.00000100
    
5.6.7.8 = 00000101.00000110.00000111.00001000

    A && B  = 00000001.00000010.00000011.00000000
    
A XOR B = 00000100.00000100.00000100.00001100

    Therefore the access-list would read:

    access-list 1 permit 1.2.3.0 4.4.4.12

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    Terms of servicePrivacy policy
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo