## ACL Maths

Today I thought, it would be nice to show the people out there, how an ACL can be computed to fit specific requirements.

Cisco explains quite good how to use ACLs:

But do you know how to calculate an access-list which matches 10.20.30.40 and 40.30.20.10?

You should know that an access-list obeys to the quite simple mathemtical AND/OR and XOR world. The result will either match or will not match – so you can either permit or deny traffic.

Access-lists and wildcard masks are based on the AND and XOR logic. To remember:

 A B Output 0 0 0 0 1 0 1 0 0 1 1 1

With the AND Logic the result is 1 only when A and B are equal to 1.

A little bit different is when using the XOR logic: the result is 1 when A is different from B.

 A B Output 0 0 0 0 1 1 1 0 1 1 1 0

So, to get the specific information we need:

• A AND B gives us the address base / address to check
• A XOR B gives us the wildcard mask
`access-list 1 permit [address_to_check] [wildcard_used_to_check]`

#### Example: Match 10.20.30.40 and 40.30.20.10

Lets try to find an ACL to match 10.20.3.40 and 40.30.20.10.
To do so, we have first to convert this ip address into binary:

```10.20.30.40 = 00001010.00010100.00011110.00101000
40.30.20.10 = 00101000.00011110.00010100.00001010```

To get the address to check we use the AND logic:

```    00001010.00010100.00011110.00101000
AND 00101000.00011110.00010100.00001010
---------------------------------------
00001000.00010100.00010100.00001000 =  8.20.20.8```

To get the wildcard mask we use the XOR logic:

```    00001010.00010100.00011110.00101000
XOR 00101000.00011110.00010100.00001010
---------------------------------------
00100010.00001010.00001010.00100010 = 34.10.10.34```

Which results in:

`access-list 1 permit 8.20.20.8 34.10.10.34`

Easy, isn’t it?

#### Example: Match 172.30.16.0 thru 172.30.31.0

The next example is a little bit different. It should match a range of possible addresses. I just keep an eye on the 3rd octet.
First thing is again: convert it to binary:

```16 = 0001 0000
17 = 0001 0001
18 = 0001 0010
..
31 = 0001 1111
--------------
^^^^
Notice: This is, where changes happen```

The important sentence for this task is to remember: “0 means the bit which cares me, 1 does not care”. Meaning that everywhere, where a 1 is set, I dont care wheater the value is changing or not. Where 0 means that this has to stay at is is.

In this example the first 4 bits have to stay as they are, so we place 0000. The last bits may change -> 1111.

To explain this in math: Apply AND on all those numbers to get the base:

```    0001 0000 (16)
AND 0001 1111 (31)
-------------
0001 0000 = 16```

And apply XOR to get the wildcard mask:

```    0001 0000 (16)
XOR 0001 1111 (31)
-------------
0000 1111 = 15```

By using this logic you end up with the access-list:

`access-list 1 permit 172.30.16.0 0.0.15.0`

#### Match all even numbers in the 3rd octet of 200.0.0.0

This question is really a classic example which will come at any CCIE exam.
Again we start converting some random number of addresses to binary:

```200.0.0.0 = 11001000.00000000.00000000.00000000
200.0.1.0 = 11001000.00000000.00000001.00000000
200.0.2.0 = 11001000.00000000.00000010.00000000
200.0.9.0 = 11001000.00000000.00001001.00000000
^
This last bit is changing all the time.```

Since that last bit in the 3rd octet is changing all the time, we don’t care (=1) it. So the 3rd octet wildcard will be: 0000 0001 which gives us following access-list:

`access-list 1 permit 200.0.0.0 0.0.1.0`

Match all odd numbers in the second octet of 200.0.0.0

We again write some random values of the 2nd octet into binary:

```200.0.0.0 = 11001000.00000000.00000000.00000000
200.0.1.0 = 11001000.00000001.00000000.00000000
200.0.2.0 = 11001000.00000010.00000000.00000000
200.0.9.0 = 11001000.00001001.00000000.00000000
^^^^^^^
Changing bit for even/odd gets -> 1
The Last bit we care -> 0```

Then we notice that the last bit is always zero. Since we care that this bit remains (=0) the rest may change (=1). This gives us the binary 1111 1110. At the end we’ve got:

`access-list 1 permit 200.0.0.0 0.254.0.0`

#### One last word: summary routes

If you’re asked to create a summary-route for some specific subnets: this is not different than calculating a range of ip addresses. But you can shorten this up.

Lets assume you need to create summary of following networks including ONLY those networks:

10.10.31.0/24
10.10.32.0/24
10.10.33.0/24
10.10.34.0/24
10.10.35.0/24
10.10.36.0/24
10.10.37.0/24

First thing you change this into binary:

```0001 1111 (31)
0010 0000 (32)
0010 0001 (33)
0010 0010 (34)
0010 0011 (35)
0010 0100 (36)
0010 0101 (37)```

We notice that 31 is stepping out of the line.  We will see that the last 3 bits are interesting to us. But, if we put the last 3 bits into ‘dont-care-modus’ (setting to 1) we will also include 0110 (38) and 0111 (39) which is not allowed. So we break at the end this into 3 parts:

```0001 1111 (31) -> 10.10.31.0 0.0.0.255

0010 0000 (32)
0010 0001 (33)
0010 0010 (34)
0010 0011 (35)
--------------
0000 0011 (3)  -> 10.10.32.0 0.0.3.255

0010 0100 (36)
0010 0101 (37)
--------------
0000 0001 (1)  -> 10.10.36.0 0.0.1.255```
Categories: