HP 3500yl Series Access Security Manual page 497

SA Mask Application: The mask is applied to the SA in the
ACL to define which bits in a packet's source SA must exactly
match the address configured in the ACL and which bits need
not match.
Example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both
define any IPv4 address in the range of 10.10.10.(1-255).
Note: Specifying a group of contiguous IPv4 addresses may
require more than one ACE. For more on how masks operate
in ACLs, refer to "How an ACE Uses a Mask To Screen Packets
for Matches" on page 10-35.
< any | host < DA > | DA/mask-length >
This is the second instance of addressing in an extended
ACE. It follows the first (SA) instance, described earlier,
and defines the destination address (DA) that a packet must
carry in order to have a match with the ACE. The options
are the same as shown for < SA >.
• any — Allows routed IPv4 packets to any DA.
• host < DA > — Specifies only the packets having DA as the
destination address. Use this criterion when you want
to match only the IPv4 packets for a single DA.
• DA/mask-length or DA < mask > — Specifies packets
intended for a destination address, where the address is
either a subnet or a group of IPv4 addresses. The mask
format can be in either dotted-decimal format or CIDR
format (number of significant bits). Refer to "Using
CIDR Notation To Enter the IPv4 ACL Mask" on page
10-49.
DA Mask Application: The mask is applied to the DA in
the ACL to define which bits in a packet's DA must exactly
match the DA configured in the ACL and which bits need
not match. See also the above example and note.
IPv4 Access Control Lists (ACLs)
Configuring Extended ACLs
10-77