HP ProCurve 5300xl Series Management Manual page 434

Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
10-24
Permit inbound VLAN 3 traffic on all ports.
■
Because all ports in the example have the same inbound traffic requirements
for ACL filtering, the system administrator needs to create only one ACL for
application to all four ports.
All inbound 10.10.10.x (VLAN 1) traffic is allowed on all ports.
■
■ For the inbound 10.10.11.x (VLAN 2) traffic, the fourth octet of the
ACL mask includes an overlap of permit and deny use on the "16" bit,
which will require two different ACEs in the ACL. That is:
• To deny hosts in the range of 31-255 in the fourth octet, it is necessary
to use an ACE that specifies the leftmost four bits of the octet.
• To permit hosts in the range of 1-30 in the fourth octet, it is necessary
to use and ACE that specifies the rightmost five bits of the octet.
1
The overlap can be illustrated as shown here:
Bit Values in the Fourth Octet
Bits Needed To Deny Hosts 31 - 255
(4th Octet Mask: 0.0.0.224)
Bits Needed To Permit Hosts 1 - 30
(4th Octet Mask: 0.0.0.31)
1
For more on this topic, refer to "Rules for Defining a Match Between a Packet
and an Access Control Entry (ACE)" on page 10-31, and "Using CIDR Notation
To Enter the ACL Mask" on page 10-42.
The overlap on the "16" bit means that it is necessary for the ACL to deny
the host at 10.10.11.31 before permitting the hosts in the range of
10.10.10.1 - 30. The complete sequence is:
1. Permit all inbound traffic from 10.10.10.x.
2. Permit all inbound traffic from 10.10.12.x.
3. Deny the host at 10.10.11.31.
4. Permit the hosts in the range of 10.10.11.1 - 30.
5. Allow the implicit deny (automatically present in all ACLs) to deny all
other traffic, which will automatically include the hosts in the range
10.10.10.32 - 255.
128 64 32 16 8 4 2 1