Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
Examples Allowing Multiple IP Addresses. Table 10-5 provides exam-
ples of how to apply masks to meet various filtering requirements.
Table 10-5. Example of Using an IP Address and Mask in an Access Control Entry
IP Address in the ACE Mask Policy for a Match Between a
Packet and the ACE
Allowed IP Addresses
A: 10.38.252.195 0.0.0.255 Exact match in first three
octets only.
10.38.252.< 0-255 >
(See row A in table 10-6, below.)
B: 10.38.252.195 0.0.7.255 Exact match in the first two
octets and the leftmost five bits
(248) of the third octet.
10.38.< 248-255 >.< 0-255 >
(In the third octet, only the rightmost three bits are
wildcard bits. The leftmost five bits must be a
match, and in the ACE, these bits are all set to 1. See
row B in table 10-6, below.)
C: 10.38.252.195 0.0.0.0 Exact match in all octets. 10.38.252.195
(There are no wildcard bits in any of the octets. See
row C in table 10-6, below.)
D: 10.38.252.195 0.15.255.255 Exact match in the first octet
and the leftmost four bits of the
second octet.
10.< 32-47 >.< 0-255 >.<0-255>
(In the second octet, the rightmost four bits are
wildcard bits. See row D in table
10-6, below.)
Table 10-6. Mask Effect on Selected Octets of the IP Addresses in Table 10-5
IP Octet Mask Octet 128 64 32 16 8 4 2
Addr Range
A 3 0
all bits
252
1 1 1 1 1 1 0 0
B 3 7
last 3 bits
248-255 1 1 1 1 1 0 or 1 0 or 1 0 or 1
C 4 0
all bits
195 1 1 0 0 0 0 1 1
D 2 15
last 4 bits
32-47
0 0 1 0 0 or 1 0 or 1 0 or 1 0 or 1
Shaded areas indicate bit settings that must be an exact match.
If there is a match between the policy in the ACE and the IP address in a packet,
then the packet is either permitted or denied, according to how the ACE is
configured. If there is not a match, the next ACE in the ACL is then applied to
the packet. The same operation applies to a destination IP address (DA) used
in an extended ACE. (Where an ACE includes both source and destination IP
addresses, there is one IP-address/ACL-mask pair for the source address, and
another IP-address/ACL-mask pair for the destination address. See
“Configur-
ing and Assigning an ACL” on page 10-35.)
CIDR Notation. For information on using CIDR notation to specify ACL
masks, refer to
“Using CIDR Notation To Enter the ACL Mask” on page 10-42.
10-34
1
To Next Page
Loading...
Need help?
General