Computing Access-List and Wildcard Pairs

by: , CCIE #8593

Introduction:

Access-list address and wildcard pair calculations are based on the AND and XOR logic gates.

AND: The output is true only when both inputs A and B are true.

XOR: The output is true when either inputs A or B are true, but not if both A and B are true.

To find the most specific address and wildcard pair that will match two addresses, A and B, we use the gates AND and XOR. The address we will check in the access-list is A AND B. The wildcard used to check in this list will be A XOR B. Syntax is as follows:

Example 1:

Create an access-list in one line that matches the two IP addresses 10.20.30.40 and 40.30.20.10. This access-list should be as efficient as possible. Do not worry about overlapping address space.

How do we create an access-list that is the most specific match for these two addresses? First, write both addresses out in binary:

Next, to find the address, take the logical AND of these addresses.

The result is our address: 8.20.20.8

Next, to find the matching wildcard, take the logical XOR of these addresses.

The result is our wildcard: 34.10.10.34

Therefore, the most specific match for both 10.20.30.40 and 40.30.20.10 is:

access-list 1 permit 8.20.20.8 34.10.10.34

Example 2:

The following networks are being learned through a dynamic routing protocol:

10.0.0.0/16
10.4.0.0/16
10.32.0.0/16
10.36.0.0/16

Create an access-list to apply as a distribute-list. In one line, this access-list should permit these four prefixes, and deny everything else. Do not permit any other networks.

First, write all addresses out in binary:

Next, to find the address, take the logical AND of these addresses.

The result is our address: 10.0.0.0

Next, to find the matching wildcard, take the logical XOR of these addresses.

The result is our wildcard: 0.36.0.0

Therefore, in order to match the above networks in a single line, the access-list would read:

access-list 1 permit 10.0.0.0 0.36.0.0

How do we know if we are overlapping address space?

The amount of bits set in the wildcard mask directly corresponds to the number of addresses the access-list will match.

In the first case, the amount of bits set in the wildcard mask is 8. 8 bits set result in 256 combinations (28 = 256). It is evident that there is much overlap in this address space. However, the resulting access-list is the most specific match possible in one line.

In the second case, 2 bits are set in the wildcard mask, the 32 bit and the 4 bit. 2 bits set result in 4 combinations (22 = 4). In this case, it is evident that these four combinations are the said networks in question.

© 2003 Internetwork Expert, Inc.



Train with the Best in CCIE Cisco Certification Training. Visit www.ine.com for your CCIE Training!
 
Train with the Best in CCIE Cisco Certification Training. Visit www.ine.com for your CCIE Training! INE Twitter INE RSS Feeds INE Linked In INE Facebook INE Blog INE YouTube Ine.com meets the PCI data security requirements by passing a SecurityMetrics¨ Site Certification vulnerability scan. VeriSign Trusted BBB Reliability Report for Internetwork Expert, Inc. INE IEOC Community