Creating wildcard masks for ACL's...

[Paunchy]

Hey all... I'm trying to get my brain around wildcard masking for ACL's and I'm having some trouble... I've gone through a few examples and I understand about half of them, so I'm apparently missing some part of the puzzle... if anyone has time to work out an example based on the information I provided (with some sort of detail), I'd greatly appreciate it...

Say you want to create an ACL to filter traffic from subnet 172.12.45.0 - 172.12.100.0 What would the wildcard mask look like, and how do you do the math to create it? I understand from simpler examples that you find a common bit pattern in whatever octet(s) you're filtering, but I can't reproduce the wildcard mask every time.

This is what I understand:

45 = 00101101
100 = 01100100

So is the wildcard mask 0.0.178.255 OR 0.0.128.255 OR am I completely wrong?

Once again, any help would be appreciated... thanks in advance...

--Paunchy

 

[cmetz]

Wildcard masks only work if the start and end addresses are whatever power of two is associated with the mask. That is to say, you can easily create a mask for .128 to .191:

128 = 10000000
191 = 10111111

So clearly, if you create a mask that says the first two bits are the same and the last six bits are wildcarded, you're in good shape.

In order to do arbitrary ranges, you will have to have multiple rules with multiple masks.

Here's a tool that will compute it for you:

http://www.csc.fi/english/funet/calc/laskin2.html

For your range, it says you need: (I'm just copying the rightmost column, which is in CIDR notation):
172.12.45.0/24
172.12.46.0/23
172.12.48.0/20
172.12.64.0/19
172.12.96.0/22
172.12.100.0/32

This is a lot uglier than what I think you were hoping to find, but it still beats listing every subnet out.