Rules For Defining A Match Between A Packet And An Access Control Entry (Ace) - HP ProCurve 5300xl Series Management Manual
Advanced traffic
Hide thumbs
Also See for ProCurve 5300xl Series:
- Access security manual (292 pages) ,
- Specification sheet (12 pages) ,
- Management and configuration manual (508 pages)
Table of Contents
Advertisement
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
Rules for Defining a Match Between a Packet and an Access
Control Entry (ACE)
For a given ACE, when the switch compares an IP address and
■
corresponding mask in the ACE to an IP address carried in a packet:
•
A mask-bit setting of 0 ("off") requires that the corresponding bit
in the packet's IP address and in the ACE's IP address must be the
same. That is, if a bit in the ACE's IP address is set to 1 ("on"), the
same bit in the packet's IP address must also be 1.
•
A mask-bit setting of 1 ("on") means the corresponding bit in the
packet's IP address and in the ACE's IP address do not have to be the
same. That is, if a bit in the ACE's IP address is set to 1, the same bit
in the packet's IP address can be either 1 or 0 ("on" or "off").
For an example, refer to "Example of How the Mask Bit Settings Define
a Match" on page 10-33.
■
In any ACE, a mask of all ones means any IP address is a match.
Conversely, a mask of all zeros means the only match is an IP address
identical to the host IP address specified in the ACL.
■
Depending on your network, a single ACE that allows a match with
more than one source or destination IP address may allow a match
with multiple subnets For example, in a network with a prefix of
31.30.240 and a subnet mask of 255.255.240.0 (the leftmost 20 bits),
applying an ACL mask of 0.0.31.255 causes the subnet mask and the
ACL mask to overlap one bit, which allows matches with hosts in two
subnets: 31.30.224.0 and 31.30.240.0.
Bit Position in the Third Octet of Subnet Mask 255.255.240.0
Bit Values
Subnet Mask Bits
Mask Bit Settings Affecting
Subnet Addresses
This ACL supernetting technique can help to reduce the number of ACLs
you need. You can apply it to a multinetted VLAN and to multiple VLANs.
However, ensure that you exclude subnets that do not belong in the policy.
If this creates a problem for your network, you can eliminate the
unwanted match by making the ACEs in your ACL as specific as possible,
and using multiple ACEs carefully ordered to eliminate unwanted
matches.
128
64
32
16
1
1
1
1
0
0
0
1 or 0
8
4
2
1
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
10-31
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
