10-38
Access Control Lists (ACLs)
Planning an ACL Application
■ Every IP address and mask pair (source or destination) used in an
ACE creates one of the following policies:
• Any IP address fits the matching criteria. In this case, the switch
automatically enters the IP address and mask in the ACE. For exam-
ple:
access-list 1 deny any
produces this policy in an ACL listing:
This policy states that every bit in every octet of a packet’s SA is a
wildcard, which covers any IP address.
• One IP address fits the matching criteria. In this case, you provide
the IP address and the switch provides the mask. For example:
access-list 1 permit host 10.28.100.15
produces this policy in an ACL listing:
This policy states that every bit in every octet of a packet’s SA must
be the same as the corresponding bit in the SA defined in the ACE.
• A group of IP addresses fits the matching criteria. In this case
you provide both the IP address and the mask. For example:
access-list 1 permit 10.28.32.1 0.0.0.31
This policy states that:
– In the first three octets of a packet’s SA, every bit must be set the
same as the corresponding bit in the SA defined in the ACE.
– In the last octet of a packet’s SA, the first three bits must be the
same as in the ACE, but the last five bits are wildcards and can
be any value.
■ Unlike subnet masks, the wildcard bits in an ACL mask need not be
contiguous. For example, 0.0.7.31 is a valid ACL mask. However, a
subnet mask of 255.255.248.224 is not a valid subnet mask.
IP Address Mask
0.0.0.0 255.255.255.255
IP Address Mask
10.28.100.15 0.0.0.0
IP Address Mask
10.28.32.1 0.0.0.31
Comments to this Manuals