Access Control Lists (ACLs) for the Series 5300xl Switches
Planning an ACL Application
Rules for Defining a Match Between a Packet and an Access
Control Entry (ACE)
■ For a given ACE, when the switch compares an IP address and
corresponding mask in the ACE to an IP address carried in a packet:
• A mask-bit setting of 0 (“off”) requires that the corresponding bit
in the packet’s IP address and in the ACE’s IP address must be the
same. That is, if a bit in the ACE’s IP address is set to 1 (“on”), the
same bit in the packet’s IP address must also be 1.
• A mask-bit setting of 1 (“on”) means the corresponding bit in the
packet’s IP address and in the ACE’s IP address do not have to be the
same. That is, if a bit in the ACE’s IP address is set to 1, the same bit
in the packet’s IP address can be either 1 or 0 (“on” or “off”).
For an example, refer to “Example of How the Mask Bit Settings Define
a Match” on page 9-23.
■ In any ACE, a mask of all ones means any IP address is a match.
Conversely, a mask of all zeros means the only match is an IP address
identical to the host IP address specified in the ACL.
■ Depending on your network, a single ACE that allows a match with
more than one source or destination IP address may allow a match
with multiple subnets For example, in a network with a prefix of
31.30.240 and a subnet mask of 255.255.240.0 (the left most 20 bits),
applying an ACL mask of 0.0.31.255 causes the subnet mask and the
ACL mask to overlap one bit, which allows matches with hosts in two
subnets: 31.30.224.0 and 31.30.240.0.
Bit Position in the Third Octet of Subnet Mask 255.255.240.0
Bit Values 128 64 32 16 8 4 2 1
Subnet Mask Bits
Mask Bit Settings Affecting
Subnet Addresses
1
0
1
0
1
0
1
1 or 0
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
This ACL supernetting technique can help to reduce the number of ACLs
you need. You can apply it to a multinetted VLAN and to multiple VLANs.
However, ensure that you exclude subnets that do not belong in the policy.
If this creates a problem for your network, you can eliminate the
unwanted match by making the ACEs in your ACL as specific as possible,
and using multiple ACEs carefully ordered to eliminate unwanted
matches.
9-21
To Next Page
Loading...
