Friday, July 18, 2014

Deriving ACL Wildcard Masks

The topic of ACL masks comes up when you're trying to put together firewall rules.  I'm going to show a semi real-world example at the binary level.  There are plenty of short-cuts/tricks out there to do this but I figure if you understand the low-level method - you can understand the short-cuts.


I need to add a firewall rule to allow RTP from a service provider that operates servers in the subnet of (non-routable/RFC 1918 range for example purposes only).

Step 1:  Convert the CIDR notation to a subnet mask.

Rewriting into 8-bit quads yields:  10101100.00011100.00000000.0000000

The /14 indicates that the first 14 bits are used as the network prefix (remainder are the host prefix bits).  Network bits highlighted below.


The subnet mask is obtained by setting each of those 14 bits to 1.  This yields:

11111111.11111100.00000000.00000000, or

Step 2:  Convert the subnet mask to an ACL wildcard mask.

Once the subnet mask is obtained, obtaining the ACL wildcard is a simple matter of inverting all 32 bits of the subnet mask (flip 0's to 1's, 1's to 0's).  This yields:

00000000.00000011.11111111.11111111, or

Step 3:  Construct the ACL entry.

In this example RTP traffic will be sourced from the following UDP port range:  16384 - 32767.  I use a non-sensical host ip address ( as the destination, as an example.

router(config)#ip access-list extended rtpACL
router(config-ext-nacl)#10 permit udp range 16384 32767 host