HP HP ProCurve Series 6600, Access Security Manual, Page: 455 / 778

10-35
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
N o t e
RACLs do filter routed or switched IPv4 traffic having an SA or DA on the
switch itself.
How an ACE Uses a Mask To Screen Packets for
Matches
When the switch applies an ACL to IPv4 traffic, each ACE in the ACL uses an
IPv4 address and
ACL mask to enforce a selection policy on the packets being
screened. That is, the mask determines the range of IPv4 addresses (SA only
or SA/DA) that constitute a match between the policy and a packet being
screened.
What Is the Difference Between Network (or Subnet)
Masks and the Masks Used with ACLs?
In common IPv4 addressing, a network (or subnet) mask defines which part
of the address to use for the network number and which part to use for the
hosts on the network. For example:
Thus, the bits set to 1 in a network mask define the part of an IPv4 address to
use for the network number, and the bits set to 0 in the mask define the part
of the address to use for the host number.
In an ACL, IPv4 addresses and masks provide criteria for determining whether
to deny or permit a packet, or to pass it to the next ACE in the list. If there is
a match, the configured deny or permit action occurs. If there is not a match,
the packet is compared with the next ACE in the ACL. Thus, where a standard
network mask defines how to identify the network and host numbers in an
IPv4 address, the mask used with ACEs defines which bits in a packet’s SA or
DA must match the corresponding bits in the SA or DA listed in an ACE, and
which bits can be
wildcards .
Address Mask Network Address Host Address
10.38.252.195 255.255.255.0 first three octets The fourth octet.
10.38.252.195 255.255.248.0 first two octets and the left-
most five bits of the third octet
The right most three bits of the
third octet and all bits in the
fourth octet.