10-35
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
N o t e
RACLs do filter routed
or
switched IPv4 traffic having an SA or DA on the
switch itself.
How an ACE Uses a Mask To Screen Packets for
Matches
When the switch applies an ACL to IPv4 traffic, each ACE in the ACL uses an
IPv4 address and
ACL mask
to enforce a selection policy on the packets being
screened. That is, the mask determines the range of IPv4 addresses (SA only
or SA/DA) that constitute a match between the policy and a packet being
screened.
What Is the Difference Between Network (or Subnet)
Masks and the Masks Used with ACLs?
In common IPv4 addressing, a network (or subnet) mask defines which part
of the address to use for the network number and which part to use for the
hosts on the network. For example:
Thus, the bits set to 1 in a network mask define the part of an IPv4 address to
use for the network number, and the bits set to 0 in the mask define the part
of the address to use for the host number.
In an ACL, IPv4 addresses and masks provide criteria for determining whether
to deny or permit a packet, or to pass it to the next ACE in the list. If there is
a match, the configured deny or permit action occurs. If there is not a match,
the packet is compared with the next ACE in the ACL. Thus, where a standard
network mask defines how to identify the network and host numbers in an
IPv4 address, the mask used with ACEs defines which bits in a packet’s SA or
DA must match the corresponding bits in the SA or DA listed in an ACE, and
which bits can be
wildcards
.
Address
Mask
Network Address
Host Address
10.38.252.195 255.255.255.0 first three octets
The fourth octet.
10.38.252.195 255.255.248.0 first two octets and the left-
most five bits of the third octet
The right most three bits of the
third octet and all bits in the
fourth octet.
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......