10-39
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
Examples Allowing Multiple IPv4 Addresses. Table 10-3 provides exam-
ples of how to apply masks to meet various filtering requirements.
Table 10-3. Example of Using an IPv4 Address and Mask in an Access Control Entry 
Table 10-4. Mask Effect on Selected Octets of the IPv4 Addresses in Table 10-3 
If there is a match between the policy in the ACE and the IPv4 address in a 
packet, then the packet is either permitted or denied, according to how the 
ACE is configured. If there is not a match, the next ACE in the ACL is then 
applied to the packet. The same operation applies to a destination IPv4 
address (DA) used in an extended ACE. (Where an ACE includes both source 
and destination addresses, there is one address/ACL-mask pair for the source 
address, and another address/ACL-mask pair for the destination address. See 
“Configuring and Assigning an IPv4 ACL” on page 10-40.)
Address in the ACE Mask Policy for a Match Between a 
Packet and the ACE
Allowed Addresses
A:   10.38.252.195 0.0.0.255 Exact match in first three 
octets only. 
10.38.252.< 0-255 >
(See row A in table 10-4, below.)
B:   10.38.252.195 0.0.7.255 Exact match in the first two 
octets and the leftmost five bits 
(248) of the third octet. 
10.38.< 248-255 >.< 0-255 > 
(In the third octet, only the rightmost three bits are 
wildcard bits. The leftmost five bits must be a 
match, and in the ACE, these bits are all set to 1. See 
row B in table 10-4, below.)
C:   10.38.252.195 0.0.0.0 Exact match in all octets. 10.38.252.195
(There are no wildcard bits in any of the octets. See 
row C in table 10-4, below.)
D:   10.38.252.195 0.15.255.255 Exact match in the first octet 
and the leftmost four bits of the 
second octet.
10.< 32-47 >.< 0-255 >.<0-255>
(In the second octet, the rightmost four bits are 
wildcard bits. See row D in table 10-4, below.) 
Addr Octet Mask Octet 
Range
128 64 32 16 8 4 2 1
A3  0
all bits
252
1 1 1 1 1 1 0 0
B3 7
last 3 bits
248-255 1 1 1 1 1 0 or 1 0 or 1 0 or 1
C4 0
all bits
195 1 1 0 0 0 0 1 1
D2 15
last 4 bits
32-47
0 0 1 0 0 or 1 0 or 1 0 or 1 0 or 1
Shaded areas indicate bit settings that must be an exact match.