User`s manual
User’s Manual 79
6.7.6 Configuring ACL Masks
You can specify optional masks that control the order in which ACL rules are checked. The switch includes
two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress
ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL. A mask must be
bound exclusively to one of the basic ACL types (For example, Ingress IP ACL, Egress IP ACL, Ingress
MAC ACL or Egress MAC ACL), but a mask can be bound to up to four ACLs of the same type.
Follow these guidelines:
Up to seven entries can be assigned to an ACL mask.
Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in
which these packets are checked is determined by the mask, and not the order in which the ACL rules are
entered.
Create the required ACLs and the ingress or egress masks before mapping an ACL to an interface.
You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame
priorities associated with the rule.
Use the ACL Mask Configuration page to edit the mask for the Ingress IP ACL, Egress IP ACL, Ingress MAC
ACL or Egress MAC ACL.
Configuring Switch Using the Web or CLI
Web
Click Security – ACL, Mask Configuration. Click Edit for one of the basic mask types to open the
configuration page.
CLI
This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of
precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound
packet.
Console(config)#access-list ip mask-precedence in
Console(config-ip-mask-acl)#mask host any
Console(config-ip-mask-acl)#mask 255.255.255.0 any
Console(config-ip-mask-acl)#
6.7.7 Configuring an IP ACL Mask
This mask defines the fields to check in the IP header.