(Answer) (Category) Cisco CCIE Certification and CCNP Certification FAQs :
How do I compute an access-list with the minimum number of lines?
From: "Brian McGahan"
Date: Mon, 28 Oct 2002 19:27:27 -0600
Access-list address and wildcard pair calculations are based around the AND and XOR logic gates.
AND: The output is high only when both inputs A and B are high.
 A AND B
 _____________
 | A | B | out |
 | 0 | 0 |  0  |
 | 0 | 1 |  0  |
 | 1 | 0 |  0  |
 | 1 | 1 |  1  |
  -------------

XOR: The output is high when either of inputs A or B is high, but not if both A and B are high.

 A XOR B
 _____________
 | A | B | out |
 | 0 | 0 |  0  |
 | 0 | 1 |  1  |
 | 1 | 0 |  1  |
 | 1 | 1 |  0  |
  -------------
To find the most specific address and wildcard pair that will match two addresses, A and B, we use the gates AND and XOR. The address we will check in the access-list is A AND B. The wildcard used to check in this list will be A XOR B. 
 access-list 1 permit [address_to_check] [wildcard_used_to_check]
Take the following example:
We have two IP addresses, 10.20.30.40, and 40.30.20.10. How do we create an access-list that is the most specific match for these two addresses? First, write both addresses out in binary:
 10.20.30.40 = 00001010.00010100.00011110.00101000
 40.30.20.10 = 00101000.00011110.00010100.00001010
To find the address_to_check, take the logical AND of these addresses.
    00001010.00010100.00011110.00101000
 && 00101000.00011110.00010100.00001010
 --------------------------------------
    00001000.00010100.00010100.00001000
This is our address_to_check: 8.20.20.8
To find the matching wildcard_used_to_check, we take the logical XOR of these addresses.
     00001010.00010100.00011110.00101000
 XOR 00101000.00011110.00010100.00001010
 ---------------------------------------
     00100010.00001010.00001010.00100010
This is our wildcard_used_to_check: 34.10.10.34
Therefore, the most specific match for both 10.20.30.40 and 40.30.20.10 would be:
 access-list 1 permit 8.20.20.8 34.10.10.34

Here's one more:

 A = 1.2.3.4

 B = 5.6.7.8

 1.2.3.4 = 00000001.00000010.00000011.00000100

 5.6.7.8 = 00000101.00000110.00000111.00001000

 A && B  = 00000001.00000010.00000011.00000000

 A XOR B = 00000100.00000100.00000100.00001100
Therefore the access-list would read:
 access-list 1 permit 1.2.3.0 4.4.4.12

HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
CyscoExpert Corporation
Internetwork Consulting & Training
Voice: 847.674.3392
Fax: 847.674.2625

A similar problem is trying to calculate an access-list that matches even/odd networks: (Xref) How do I compute an access-list to match even or odd networks?
For more detailed examples of computing access-lists and wildcard pairs visit http://www.internetworkexpert.com/resources/01700370.htm.
Brian McGahan, CCIE #8593 bmcgahan@internetworkexpert.com
Internetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 x 705 Outside US: 775-826-4344 x 705 24/7 Support: http://forum.internetworkexpert.com Live Chat: http://www.internetworkexpert.com/chat/
[Append to This Answer]
Previous: (Answer) How do I use ATM PVC Autodiscovery?
Next: (Answer) How do I compute an access-list to match even or odd networks?
This document is: http://ertw.com/cgi-bin/fom?file=44
[Search] [Appearance]
This is a Faq-O-Matic 2.719.
This FAQ administered by ...