Rules For Defining A Match Between A Packet And An Access Control Entry (Ace) - HP 3500yl Series Access Security Manual
Switch software
Hide thumbs
Also See for 3500yl Series:
- Release notes (219 pages) ,
- Specifications (16 pages) ,
- Features (6 pages)
Table of Contents
Advertisement
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
10-36
Rules for Defining a Match Between a Packet and an
Access Control Entry (ACE)
For a given ACE, when the switch compares an IPv4 address and
■
corresponding mask in the ACE to an IPv4 address carried in a packet:
•
A mask-bit setting of 0 ("off") requires that the corresponding bits
in the packet's address and in the ACE's address must be the same.
Thus, if a bit in the ACE's address is set to 1 ("on"), the same bit in the
packet's address must also be 1.
•
A mask-bit setting of 1 ("on") means the corresponding bits in the
packet's address and in the ACE's address do not have to be the same.
Thus, if a bit in the ACE's address is set to 1, the same bit in the packet's
address can be either 1 or 0 ("on" or "off").
For an example, refer to "Example of How the Mask Bit Settings Define
a Match" on page 10-38.
■
In any ACE, a mask of all ones means any IPv4 address is a match.
Conversely, a mask of all zeros means the only match is an IPv4
address identical to the host address specified in the ACE.
■
Depending on your network, a single ACE that allows a match with
more than one source or destination IPv4 address may allow a match
with multiple subnets. For example, in a network with a prefix of
31.30.240 and a subnet mask of 255.255.240.0 (the leftmost 20 bits),
applying an ACL mask of 0.0.31.255 causes the subnet mask and the
ACL mask to overlap one bit, which allows matches with hosts in two
subnets: 31.30.224.0 and 31.30.240.0.
Bit Position in the Third Octet of Subnet Mask 255.255.240.0
Bit Values
Subnet Mask Bits
Mask Bit Settings Affecting
Subnet Addresses
This ACL supernetting technique can help to reduce the number of ACLs
you need. You can apply it to a multinetted VLAN and to multiple VLANs.
However, ensure that you exclude subnets that do not belong in the policy.
If this creates a problem for your network, you can eliminate the
unwanted match by making the ACEs in your ACL as specific as possible,
and using multiple ACEs carefully ordered to eliminate unwanted
matches.
128
64
32
16
1
1
1
1
0
0
0
1 or 0
8
4
2
1
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
Hide quick links:
Advertisement
Chapters
Table of Contents
