10-37
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
■ Every IPv4 address and mask pair (source or destination) used in an
ACE creates one of the following policies:
• Any IPv4 address fits the matching criteria. In this case, the
switch automatically enters the address and mask in the ACE. For
example:
access-list 1 deny any
produces this policy in an ACL listing:
This policy states that every bit in every octet of a packet’s SA is a
wildcard, which covers any IPv4 address.
• One IPv4 address fits the matching criteria. In this case, you
provide the address and the switch provides the mask. For example:
access-list 1 permit host 10.28.100.15
produces this policy in an ACL listing:
This policy states that every bit in every octet of a packet’s SA must
be the same as the corresponding bit in the SA defined in the ACE.
• A group of IPv4 addresses fits the matching criteria. In this case
you provide both the address and the mask. For example:
access-list 1 permit 10.28.32.1 0.0.0.31
This policy states that:
– In the first three octets of a packet’s SA, every bit must be set the
same as the corresponding bit in the SA defined in the ACE.
– In the last octet of a packet’s SA, the first three bits must be the
same as in the ACE, but the last five bits are wildcards and can
be any value.
■ Unlike subnet masks, the wildcard bits in an ACL mask need not be
contiguous. For example, 0.0.7.31 is a valid ACL mask. However, a
subnet mask of 255.255.248.224 is not a valid subnet mask.
Address Mask
0.0.0.0 255.255.255.255
Address Mask
10.28.100.15 0.0.0.0
Address Mask
10.28.32.1 0.0.0.31
To Next Page
Loading...
Need help?
General