98Calculating the mask for IP access controlThe IP access control function uses a standard IP address and a net masknotation to specify both single locations and ranges of addresses. In order touse this function correctly, you need to calculate the mask so that it accuratelyencompasses the required address(es).Single locationsSome of the simplest addresses to allow or deny are single locations. In this caseyou enter the required IP address into the ‘Network/Address’ field and simplyenter the ‘Mask’ as 255.255.255.255 (255 used throughout the mask meansthat every bit of the address will be compared and so there can only be oneunique address to match the one stated in the ‘Network/Address’ field).All locationsThe other easy setting to make is ALL addresses, using the mask 0.0.0.0 Asstandard, the IP access control section includes the entry: +0.0.0.0/0.0.0.0The purpose of this entry is to include all IP addresses. It is possible to similarlyexclude all addresses, however, take great care not to do this as you instantlyrender all network access void. There is a recovery procedure should this occur.Address rangesAlthough you can define ranges of addresses, due to the way that the maskoperates, there are certain restrictions on the particular ranges that can be set.For any given address you can encompass neighbouring addresses in blocks ofeither 2, 4, 8, 16, 32, 64, 128, etc. and these must fall on particular boundaries.For instance, if you wanted to define the local address range:192.168.142.67 to 192.168.142.93The closest single block to cover the range would be the 32 addresses from:192.168.142.64 to 192.168.142.95.The mask needed to accomplish this would be: 255.255.255.224When you look at the mask in binary, the picture becomes a little clearer. Theabove mask has the form: 11111111.11111111.11111111.11100000Ignoring the initial three octets, the final six zeroes of the mask would ensurethat the 32 addresses from .64 (01000000) to .95 (01011111) would all betreated in the same manner. See Net masks - the binary explanation fordetails.When defining a mask, the important rule to remember is:There must be no ‘ones’ to the right of a ‘zero’.For instance, (ignoring the first three octets) you could not use a mask that had11100110 because this would affect intermittent addresses within a range in animpractical manner. The same rule applies across the octets. For example, if youhave zeroes in the third octet, then all of the fourth octet must be zeroes.The permissible mask values (for all octets) are as follows:Mask octet Binary Number of addresses encompassed255 11111111 1 address254 11111110 2 addresses252 11111100 4 addresses248 11111000 8 addresses240 11110000 16 addresses224 11100000 32 addresses192 11000000 64 addresses128 10000000 128 addresses0 00000000 256 addressesIf the access control range that you need to define is not possible using oneaddress and one mask, then you could break it down into two or more entries.Each of these entries could then use smaller ranges (of differing sizes) that,when combined with the other entries, cover the range that you require.For instance, to accurately encompass the range in the earlier example:192.168.142.67 to 192.168.142.93You would need to define the following six address and mask combinations inthe IP access control section:Network/address entry Mask entry192.168.142.67 255.255.255.255 defines 1 address (.67)192.168.142.68 255.255.255.252 defines 4 addresses (.68 to .71)192.168.142.72 255.255.255.248 defines 8 addresses (.72 to .79)192.168.142.80 255.255.255.248 defines 8 addresses (.80 to .87)192.168.142.88 255.255.255.252 defines 4 addresses (.88 to .92)192.168.142.93 255.255.255.255 defines 1 address (.93)