10-37
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
â– Every IPv4 address and mask pair (source or destination) used in an
ACE creates one of the following policies:
• Any IPv4 address fits the matching criteria. In this case, the
switch automatically enters the address and mask in the ACE. For
example:
access-list 1 deny any
produces this policy in an ACL listing:
This policy states that every bit in every octet of a packet’s SA is a
wildcard, which covers any IPv4 address.
• One IPv4 address fits the matching criteria. In this case, you
provide the address and the switch provides the mask. For example:
access-list 1 permit host 10.28.100.15
produces this policy in an ACL listing:
This policy states that every bit in every octet of a packet’s SA must
be the same as the corresponding bit in the SA defined in the ACE.
• A group of IPv4 addresses fits the matching criteria. In this case
you provide both the address and the mask. For example:
access-list 1 permit 10.28.32.1 0.0.0.31
This policy states that:
– In the first three octets of a packet’s SA, every bit must be set the
same as the corresponding bit in the SA defined in the ACE.
– In the last octet of a packet’s SA, the first three bits must be the
same as in the ACE, but the last five bits are wildcards and can
be any value.
â– Unlike subnet masks, the wildcard bits in an ACL mask need not be
contiguous. For example, 0.0.7.31 is a valid ACL mask. However, a
subnet mask of 255.255.248.224 is not a valid subnet mask.
Address Mask
0.0.0.0 255.255.255.255
Address Mask
10.28.100.15 0.0.0.0
Address Mask
10.28.32.1 0.0.0.31
To Next Page
Loading...
Need help?
General