A company must use the IP/mask 220.127.116.11/13 to restrict all employees of certain departments from accessing the database. This mask, with a value not divisible by 8, includes many additional IP addresses beyond the 255 x 255 addresses represented by the zeros in segments three and four, because it also partially masks segment two.
The following masking analysis helps explain the effect of a partial segment mask on the content of the top level subnet address:
- AND the binary values of the subnet address with those of the mask:
10001101.11001110.00000000.00000000 (18.104.22.168) 11111111.11111000.00000000.00000000 (255.248.0.0 or /13) ________________________________ 10001101.11001000.00000000.00000000 (22.214.171.124)
- The result shows the first 13 digits in bold text to indicate that they must be present in any address allowed by the allow element. Note that the first 13 digits of the result match the first 13 digits of the original range. The remaining 19 digits appear in normal text to indicate that they can be either a zero or a 1 and still be part of the subnet.
- Expressing all 19 digits as 1, while retaining the first 13 digits as shown in bold, results in the largest possible address in this subnet, or 10001101.11001111.11111111.11111111 (126.96.36.199).
- The total range of addresses in subnet 188.8.131.52/13 includes all addresses from 184.108.40.206 through 220.127.116.11.
To apply partial segment masking to IP filters, see Example: Secondary Element Processing--Single Address Exception and Example: Secondary Element Processing-Carve Out Exception.