Steven's Technical Blog

Today I thought, it would be nice to show the people out there, how an ACL can be computed to fit specific requirements.

Cisco explains quite good how to use ACLs:

• Configuring IP Access Lists
• Configuring Commonly Used IP ACLs (needs CCO login)

But do you know how to calculate an access-list which matches 10.20.30.40 and 40.30.20.10?

You should know that an access-list obeys to the quite simple mathemtical AND/OR and XOR world. The result will either match or will not match – so you can either permit or deny traffic.

Access-lists and wildcard masks are based on the AND and XOR logic. To remember:

With the AND Logic the result is 1 only when A and B are equal to 1.

A little bit different is when using the XOR logic: the result is 1 when A is different from B.

So, to get the specific information we need:

• A AND B gives us the address base / address to check
• A XOR B gives us the wildcard mask

access-list 1 permit [address_to_check] [wildcard_used_to_check]

Example: Match 10.20.30.40 and 40.30.20.10

Lets try to find an ACL to match 10.20.3.40 and 40.30.20.10.
To do so, we have first to convert this ip address into binary:

10.20.30.40 = 00001010.00010100.00011110.00101000
40.30.20.10 = 00101000.00011110.00010100.00001010

To get the address to check we use the AND logic:

    00001010.00010100.00011110.00101000
AND 00101000.00011110.00010100.00001010
---------------------------------------
    00001000.00010100.00010100.00001000 =  8.20.20.8

To get the wildcard mask we use the XOR logic:

    00001010.00010100.00011110.00101000
XOR 00101000.00011110.00010100.00001010
---------------------------------------
    00100010.00001010.00001010.00100010 = 34.10.10.34

Which results in:

access-list 1 permit 8.20.20.8 34.10.10.34

Easy, isn’t it?

Example: Match 172.30.16.0 thru 172.30.31.0

The next example is a little bit different. It should match a range of possible addresses. I just keep an eye on the 3rd octet.
First thing is again: convert it to binary:

16 = 0001 0000
17 = 0001 0001
18 = 0001 0010
..
31 = 0001 1111
--------------
          ^^^^
          Notice: This is, where changes happen

The important sentence for this task is to remember: “0 means the bit which cares me, 1 does not care”. Meaning that everywhere, where a 1 is set, I dont care wheater the value is changing or not. Where 0 means that this has to stay at is is.

In this example the first 4 bits have to stay as they are, so we place 0000. The last bits may change -> 1111.

To explain this in math: Apply AND on all those numbers to get the base:

    0001 0000 (16)
AND 0001 1111 (31)
-------------
    0001 0000 = 16

And apply XOR to get the wildcard mask:

    0001 0000 (16)
XOR 0001 1111 (31)
-------------
    0000 1111 = 15

By using this logic you end up with the access-list:

access-list 1 permit 172.30.16.0 0.0.15.0

Match all even numbers in the 3rd octet of 200.0.0.0

This question is really a classic example which will come at any CCIE exam.
Again we start converting some random number of addresses to binary:

200.0.0.0 = 11001000.00000000.00000000.00000000
200.0.1.0 = 11001000.00000000.00000001.00000000
200.0.2.0 = 11001000.00000000.00000010.00000000
200.0.9.0 = 11001000.00000000.00001001.00000000
                                     ^
                                     This last bit is changing all the time.

Since that last bit in the 3rd octet is changing all the time, we don’t care (=1) it. So the 3rd octet wildcard will be: 0000 0001 which gives us following access-list:

access-list 1 permit 200.0.0.0 0.0.1.0

Match all odd numbers in the second octet of 200.0.0.0

We again write some random values of the 2nd octet into binary:

200.0.0.0 = 11001000.00000000.00000000.00000000
200.0.1.0 = 11001000.00000001.00000000.00000000
200.0.2.0 = 11001000.00000010.00000000.00000000
200.0.9.0 = 11001000.00001001.00000000.00000000
                     ^^^^^^^
                     Changing bit for even/odd gets -> 1
                     The Last bit we care -> 0

Then we notice that the last bit is always zero. Since we care that this bit remains (=0) the rest may change (=1). This gives us the binary 1111 1110. At the end we’ve got:

access-list 1 permit 200.0.0.0 0.254.0.0

One last word: summary routes

If you’re asked to create a summary-route for some specific subnets: this is not different than calculating a range of ip addresses. But you can shorten this up.

Lets assume you need to create summary of following networks including ONLY those networks:

10.10.31.0/24
10.10.32.0/24
10.10.33.0/24
10.10.34.0/24
10.10.35.0/24
10.10.36.0/24
10.10.37.0/24

First thing you change this into binary:

0001 1111 (31)
0010 0000 (32)
0010 0001 (33)
0010 0010 (34)
0010 0011 (35)
0010 0100 (36)
0010 0101 (37)

We notice that 31 is stepping out of the line.  We will see that the last 3 bits are interesting to us. But, if we put the last 3 bits into ‘dont-care-modus’ (setting to 1) we will also include 0110 (38) and 0111 (39) which is not allowed. So we break at the end this into 3 parts:

0001 1111 (31) -> 10.10.31.0 0.0.0.255

0010 0000 (32)
0010 0001 (33)
0010 0010 (34)
0010 0011 (35)
--------------
0000 0011 (3)  -> 10.10.32.0 0.0.3.255

0010 0100 (36)
0010 0101 (37)
--------------
0000 0001 (1)  -> 10.10.36.0 0.0.1.255