10-36
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
Rules for Defining a Match Between a Packet and an
Access Control Entry (ACE)
■
For a given ACE, when the switch compares an IPv4 address and
corresponding mask in the ACE to an IPv4 address carried in a packet:
•
A mask-bit setting of 0 (“off”)
requires that the corresponding bits
in the packet’s address and in the ACE’s address must be the same.
Thus, if a bit in the ACE’s address is set to 1 (“on”), the same bit in the
packet’s address must also be 1.
•
A mask-bit setting of 1 (“on”)
means the corresponding bits in the
packet’s address and in the ACE’s address do not have to be the same.
Thus, if a bit in the ACE’s address is set to 1, the same bit in the packet’s
address can be either 1 or 0 (“on” or “off”).
For an example, refer to “Example of How the Mask Bit Settings Define
a Match” on page 10-38.
■
In any ACE, a mask of all ones means
any
IPv4 address is a match.
Conversely, a mask of all zeros means the
only
match is an IPv4
address identical to the host address specified in the ACE.
■
Depending on your network, a single ACE that allows a match with
more than one source or destination IPv4 address may allow a match
with multiple subnets. For example, in a network with a prefix of
31.30.240 and a subnet mask of 255.255.240.0 (the leftmost 20 bits),
applying an ACL mask of 0.0.31.255 causes the subnet mask and the
ACL mask to overlap one bit, which allows matches with hosts in two
subnets: 31.30.224.0 and 31.30.240.0.
This ACL supernetting technique can help to reduce the number of ACLs
you need. You can apply it to a multinetted VLAN and to multiple VLANs.
However, ensure that you exclude subnets that do not belong in the policy.
If this creates a problem for your network, you can eliminate the
unwanted match by making the ACEs in your ACL as specific as possible,
and using multiple ACEs carefully ordered to eliminate unwanted
matches.
Bit Position in the Third Octet of Subnet Mask 255.255.240.0
Bit Values
128
64
32
16
8
4
2
1
Subnet Mask Bits
1
1
1
1
n/a
n/a
n/a
n/a
Mask Bit Settings Affecting
Subnet Addresses
0
0
0
1 or 0
n/a
n/a
n/a
n/a
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......