Filter
Top Products
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
Thus, the bits set to 1 in a network mask define the part of an IPv4 address to
use for the network number, and the bits set to 0 in the mask define the part
of the address to use for the host number.
In an ACL, IPv4 addresses and masks provide criteria for determining whether
to deny or permit a packet, or to pass it to the next ACE in the list. If there is
a match, the configured deny or permit action occurs. If there is not a match,
the packet is compared with the next ACE in the ACL. Thus, where a standard
network mask defines how to identify the network and host numbers in an
IPv4 address, the mask used with ACEs defines which bits in a packet’s SA or
DA must match the corresponding bits in the SA or DA listed in an ACE, and
which bits can be wildcards.
Rules for Defining a Match Between a Packet and an
Access Control Entry (ACE)
■ For a given ACE, when the switch compares an IPv4 address and
corresponding mask in the ACE to an IPv4 address carried in a packet:
• A mask-bit setting of 0 (“off”) requires that the corresponding bits
in the packet’s address and in the ACE’s address must be the same.
Thus, if a bit in the ACE’s address is set to 1 (“on”), the same bit in the
packet’s address must also be 1.
• A mask-bit setting of 1 (“on”) means the corresponding bits in the
packet’s address and in the ACE’s address do not have to be the same.
Thus, if a bit in the ACE’s address is set to 1, the same bit in the packet’s
address can be either 1 or 0 (“on” or “off”).
For an example, refer to “Example of How the Mask Bit Settings Define
a Match” on page 9-31.
■ In any ACE, a mask of all ones means any IPv4 address is a match.
Conversely, a mask of all zeros means the only match is an IPv4
address identical to the host address specified in the ACE.
■ Depending on your network, a single ACE that allows a match with
more than one source or destination IPv4 address may allow a match
with multiple subnets. For example, in a network with a prefix of
31.30.240 and a subnet mask of 255.255.240.0 (the leftmost 20 bits),
applying an ACL mask of 0.0.31.255 causes the subnet mask and the
9-29