Ultralink 2 installation and operations manual 23 – Rose Electronics UltraLink 2 User Manual

UltraLink 2 Installation and Operations Manual

23

Calculating the mask for IP access control
The IP access control function uses a standard IP address and a net mask notation to
specify both single locations and ranges of addresses. In order to use this function
correctly, you need to calculate the mask so that it accurately encompasses the required
IP address(es).
Single locations
Some of the simplest addresses to allow or deny are single locations. In this case you enter
the required IP address into the ‘Network/Address’ field and simply enter the ‘Mask’ as
255.255.255.255 (255 used throughout the mask means that every bit of the address will
be compared and so there can only be one unique address to match the one stated in the
‘Network/Address’ field).
All locations
The other easy setting to make is ALL addresses, using the mask 0.0.0.0 As standard, the
IP access control section includes the entry: +0.0.0.0/0.0.0.0 The purpose of this entry is to
include all IP addresses. It is possible to similarly exclude all addresses, however, take
great care not to do this as you instantly render all network access void. There is a
recovery procedure should this occur.
Address ranges
Although you can define ranges of addresses, due to the way that the mask operates, there
are certain restrictions on the particular ranges that can be set. For any given address you
can encompass neighboring addresses in blocks of either 2, 4, 8, 16, 32, 64, 128, etc. and
these must fall on particular boundaries. For instance, if you wanted to define the local
address range:
192.168.142.67 to 192.168.142.93
The closest single block to cover the range would be the 32 addresses from:
192.168.142.64 to 192.168.142.95.
The mask needed to accomplish this would be: 255.255.255.224
When you look at the mask in binary, the picture becomes a little clearer. The above mask
has the form: 11111111.11111111.11111111.

11100000

Ignoring the initial three octets, the final six zeroes of the mask would ensure that the 32
addresses from .64 (01000000) to .95 (01011111) would all be treated in the same manner.

When defining a mask, the important rule to remember is there must be no ‘ones’ to the
right of a ‘zero’.
For instance, (ignoring the first three octets) you could not use a mask that had

11100110

because this would affect intermittent addresses within a range in an impractical manner.
The same rule applies across the octets. For example, if you have zeroes in the third octet,
then all of the fourth octet must be zeroes.
The permissible mask values (for all octets) are as follows:
Mask octet

Binary

Number of addresses encompassed

255

11111111 1 address

254

11111110 2 addresses

252

11111100 4 addresses

248

11111000 8 addresses

240

11110000 16 addresses

224

11100000 32 addresses

192

11000000 64 addresses

128

10000000 128 addresses

0

00000000 256 addresses

If the access control range that you need to define is not possible using one address and
one mask, then you could break it down into two or more entries. Each of these entries
could then use smaller ranges (of differing sizes) that, when combined with the other
entries, cover the range that you require.
For instance, to accurately encompass the range in the earlier example:
192.168.142.67 to 192.168.142.93

You would need to define the following six address and mask combinations in the IP
access control section: