98
Calculating the mask for IP access control
The IP access control function uses a standard IP address and a net mask
notation to specify both single locations and ranges of addresses. In order to
use this function correctly, you need to calculate the mask so that it accurately
encompasses the required address(es).
Single locations
Some of the simplest addresses to allow or deny are single locations. In this case
you enter the required IP address into the ‘Network/Address’ field and simply
enter the ‘Mask’ as
255.255.255.255
(255 used throughout the mask means
that every bit of the address will be compared and so there can only be one
unique address to match the one stated in the ‘Network/Address’ field)
.
All locations
The other easy setting to make is ALL addresses, using the mask
0.0.0.0
As
standard, the IP access control section includes the entry:
+0.0.0.0/0.0.0.0
The purpose of this entry is to
include
all IP addresses. It is possible to similarly
exclude
all addresses, however, take great care not to do this as you instantly
render all network access void. There is a
recovery procedure
should this occur.
Address ranges
Although you can define ranges of addresses, due to the way that the mask
operates, there are certain restrictions on the particular ranges that can be set.
For any given address you can encompass neighbouring addresses in blocks of
either 2, 4, 8, 16, 32, 64, 128, etc. and these must fall on particular boundaries.
For instance, if you wanted to define the local address range:
192.168.142.67
to
192.168.142.93
The closest single block to cover the range would be the 32 addresses from:
192.168.142.64
to
192.168.142.95
.
The mask needed to accomplish this would be:
255.255.255.224
When you look at the mask in binary, the picture becomes a little clearer. The
above mask has the form:
11111111.11111111.11111111.
11100000
Ignoring the initial three octets, the final six zeroes of the mask would ensure
that the 32 addresses from .64 (01000000) to .95 (01011111) would all be
treated in the same manner. See
Net masks - the binary explanation
for
details.
When defining a mask, the important rule to remember is:
There must be no ‘ones’ to the right of a ‘zero’.
For instance, (ignoring the first three octets) you could not use a mask that had
11100110
because this would affect intermittent addresses within a range in an
impractical manner. The same rule applies across the octets. For example, if you
have zeroes in the third octet, then all of the fourth octet must be zeroes.
The permissible mask values (for all octets) are as follows:
Mask octet
Binary
Number of addresses encompassed
255
11111111
1 address
254
11111110
2 addresses
252
11111100
4 addresses
248
11111000
8 addresses
240
11110000
16 addresses
224
11100000
32 addresses
192
11000000
64 addresses
128
10000000
128 addresses
0
00000000
256 addresses
If the access control range that you need to define is not possible using one
address and one mask, then you could break it down into two or more entries.
Each of these entries could then use smaller ranges (of differing sizes) that,
when combined with the other entries, cover the range that you require.
For instance, to accurately encompass the range in the earlier example:
192.168.142.67
to
192.168.142.93
You would need to define the following six address and mask combinations in
the IP access control section:
Network/address entry Mask entry
192.168.142.67
255.255.255.255
defines 1 address (.67)
192.168.142.68
255.255.255.252
defines 4 addresses (.68 to .71)
192.168.142.72
255.255.255.248
defines 8 addresses (.72 to .79)
192.168.142.80
255.255.255.248
defines 8 addresses (.80 to .87)
192.168.142.88
255.255.255.252
defines 4 addresses (.88 to .92)
192.168.142.93
255.255.255.255
defines 1 address (.93)