Access Control Lists (ACLs) for the Series 5300xl Switches
Planning an ACL Application
How an ACE Uses a Mask To Screen Packets for
Matches
When the switch applies an ACL to inbound or outbound traffic in a VLAN,
each ACE in the ACL uses an IP address and ACL mask to enforce a selection
policy on the packets being screened. That is, the mask determines the range
of IP addresses (SA only or SA/DA) that constitute a match between the policy
and a packet being screened.
What Is the Difference Between Network (or Subnet) Masks
and the Masks Used with ACLs?
In common IP addressing, a network (or subnet) mask defines which part of
the IP address to use for the network number and which part to use for the
hosts on the network. For example:
IP Address Mask Network Address Host Address
18.38.252.195 255.255.255.0 first three octets The fourth octet.
18.38.252.195 255.255.248.0 first two octets and the left- The right most three bits of the
most five bits of the third octet third octet and all bits in the
fourth octet.
Thus, the bits set to 1 in a network mask define the part of an IP address to
use for the network number, and the bits set to 0 in the mask define the part
of the address to use for the host number.
In an ACL, IP addresses and masks provide the criteria for determining
whether to deny or permit a packet, or to pass it to the next ACE in the list. If
there is a match, the deny or permit action occurs. If there is not a match, the
packet is compared with the next ACE in the ACL. Thus, where a standard
network mask defines how to identify the network and host numbers in an IP
address, the mask used with ACEs defines which bits in a packet’s IP address
must match the corresponding bits in the IP address listed in an ACE, and
which bits can be wildcards.
9-20
To Next Page
Loading...
Need help?
General