Product guide

10-77

Access Control Lists (ACLs)

Configuring Extended ACLs

SA Mask Application: The mask is applied to the SA in the

ACL to define which bits in a packet’s source SA must exactly

match the IP address configured in the ACL and which bits

need not match.

Example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both

define any IP address in the range of 10.10.10.(1-255).

Note: Specifying a group of contiguous IP addresses may

require more than one ACE. For more on how masks operate

in ACLs, refer to “How an ACE Uses a Mask To Screen Packets

for Matches” on page 10-36.

< any | host < DA > | DA/mask-length >

This is the second instance of IP addressing in an extended

ACE. It follows the first (SA) instance, described earlier,

and defines the destination IP address (DA) that a packet

must carry in order to have a match with the ACE. The

options are the same as shown for < SA >.

• any — Allows routed IP packets to any DA.

• host < DA > — Specifies only packets having DA as the

destination IP address. Use this criterion when you want

to match only the IP packets for a single DA.

• DA/mask-length or DA < mask > — Specifies packets

intended for a destination address, where the address is

either a subnet or a group of IP addresses. The mask

format can be in either dotted-decimal format or CIDR

format (number of significant bits). Refer to “Using CIDR

Notation To Enter the ACL Mask” on page 10-50.

DA Mask Application: The mask is applied to the DA in

the ACL to define which bits in a packet’s DA must exactly

match the DA configured in the ACL and which bits need

not match. See also the above example and note.