 




81
Calculating the mask for IP access control
The.IP.access.control.function.uses.a.standard.IP.address.and.a.net.mask.
notation.to.specify.both.single.locations.and.ranges.of.addresses..In.order.to.
use.this.function.correctly,.you.need.to.calculate.the.mask.so.that.it.accurately.
encompasses.the.required.address(es).
Single locations
Some.of.the.simplest.addresses.to.allow.or.deny.are.single.locations..In.this.case.
you.enter.the.required.IP.address.into.the.‘Network/Address’.field.and.simply.
enter.the.‘Mask’.as.255.255.255.255.(255 used throughout the mask means
that every bit of the address will be compared and so there can only be one
unique address to match the one stated in the ‘Network/Address’ field).
All locations
The.other.easy.setting.to.make.is.ALL.addresses,.using.the.mask.0.0.0.0..As.
standard,.the.IP.access.control.section.includes.the.entry:.+0.0.0.0/0.0.0.0
The.purpose.of.this.entry.is.to.include.all.IP.addresses..It.is.possible.to.similarly.
exclude.all.addresses,.however,.take.great.care.not.to.do.this.as.you.instantly.
render.all.network.access.void..There.is.a.recovery procedure.should.this.occur..
Address ranges
Although.you.can.define.ranges.of.addresses,.due.to.the.way.that.the.mask.
operates,.there.are.certain.restrictions.on.the.particular.ranges.that.can.be.set..
For.any.given.address.you.can.encompass.neighbouring.addresses.in.blocks.of.
either.2,.4,.8,.16,.32,.64,.128,.etc..and.these.must.fall.on.particular.boundaries..
For.instance,.if.you.wanted.to.define.the.local.address.range:.
192.168.142.67 to 192.168.142.93.
The.closest.single.block.to.cover.the.range.would.be.the.32.addresses.from:.
192.168.142.64 to 192.168.142.95..
The.mask.needed.to.accomplish.this.would.be:.255.255.255.224..
When.you.look.at.the.mask.in.binary,.the.picture.becomes.a.little.clearer..The.
above.mask.has.the.form:.11111111.11111111.11111111.11100000.
Ignoring.the.initial.three.octets,.the.final.six.zeroes.of.the.mask.would.ensure.
that.the.32.addresses.from..64.(01000000).to..95.(01011111).would.all.be.
treated.in.the.same.manner..See.Net masks - the binary explanation.for.
details........
When.defining.a.mask,.the.important.rule.to.remember.is:
There must be no ‘ones’ to the right of a ‘zero’..
For.instance,.(ignoring.the.first.three.octets).you.could.not.use.a.mask.that.had.
11100110 because.this.would.affect.intermittent.addresses.within.a.range.in.an.
impractical.manner..The.same.rule.applies.across.the.octets..For.example,.if.you.
have.zeroes.in.the.third.octet,.then.all.of.the.fourth.octet.must.be.zeroes..
The.permissible.mask.values.(for.all.octets).are.as.follows:.
Mask octet Binary Number of addresses encompassed
255 11111111 1 address
254 11111110.2 addresses.
252 11111100.4 addresses
248 11111000.8 addresses
240 11110000.16 addresses
224 11100000.32 addresses
192 11000000.64 addresses
128 10000000.128 addresses
0 00000000.256 addresses
If.the.access.control.range.that.you.need.to.define.is.not.possible.using.one.
address.and.one.mask,.then.you.could.break.it.down.into.two.or.more.entries..
Each.of.these.entries.could.then.use.smaller.ranges.(of.differing.sizes).that,.
when.combined.with.the.other.entries,.cover.the.range.that.you.require.
For.instance,.to.accurately.encompass.the.range.in.the.earlier.example:
192.168.142.67 to 192.168.142.93.
You.would.need.to.define.the.following.six.address.and.mask.combinations.in.
the.IP.access.control.section:
Network/address entry Mask entry
192.168.142.67 255.255.255.255 defines 1 address (.67)
192.168.142.68 255.255.255.252 defines 4 addresses (.68 to .71)
192.168.142.72 255.255.255.248 defines 8 addresses (.72 to .79)
192.168.142.80 255.255.255.248 defines 8 addresses (.80 to .87)
192.168.142.88 255.255.255.252 defines 4 addresses (.88 to .92)
192.168.142.93 255.255.255.255 defines 1 address (.93)