Manualshelf

Product guide

ManualsBrandsProCurve ManualsComputer equipment6200yl
321322323324325326327328329330
10-36
Access Control Lists (ACLs)
Planning an ACL Application
How an ACE Uses a Mask To Screen Packets for
Matches
When the switch applies an ACL to IP traffic, each ACE in the ACL uses an IP
address and ACL mask to enforce a selection policy on the packets being
screened. That is, the mask determines the range of IP addresses (SA only or
SA/DA) that constitute a match between the policy and a packet being
screened.
What Is the Difference Between Network (or Subnet)
Masks and the Masks Used with ACLs?
In common IP addressing, a network (or subnet) mask defines which part of
the IP address to use for the network number and which part to use for the
hosts on the network. For example:
Thus, the bits set to 1 in a network mask define the part of an IP address to
use for the network number, and the bits set to 0 in the mask define the part
of the address to use for the host number.
In an ACL, IP addresses and masks provide criteria for determining whether
to deny or permit a packet, or to pass it to the next ACE in the list. If there is
a match, the configured deny or permit action occurs. If there is not a match,
the packet is compared with the next ACE in the ACL. Thus, where a standard
network mask defines how to identify the network and host numbers in an IP
address, the mask used with ACEs defines which bits in a packet’s IP address
must match the corresponding bits in the IP address listed in an ACE, and
which bits can be wildcards.
IP Address Mask Network Address Host Address
10.38.252.195 255.255.255.0 first three octets The fourth octet.
10.38.252.195 255.255.248.0 first two octets and the left-
most five bits of the third octet
The right most three bits of the
third octet and all bits in the
fourth octet.