HP ProCurve 6120G/XG Manual page 345

(Assume that ports 1-4 are tagged members of VLAN 22, although tagged/
untagged ports do not affect ACL operation because ACLs examine all
inbound traffic, regardless of VLAN membership.)
The system administrator wants to:
■ Permit inbound VLAN 1 traffic on all ports
■ Permit inbound VLAN 2 traffic on ports 1 - 4 from hosts 10.10.10.1-30
■ Deny inbound VLAN 2 traffic on ports 1 - 4 from hosts 10.10.10.31-255
■ Permit inbound VLAN 3 traffic on all ports.
Because all ports in the example have the same inbound traffic requirements
for ACL filtering, the system administrator needs to create only one ACL for
application to all four ports.
■ All inbound 10.10.10.x (VLAN 1) traffic is allowed on all ports.
■ For the inbound 10.10.11.x (VLAN 2) traffic, the fourth octet of the
ACL mask includes an overlap of permit and deny use on the "16" bit,
which will require two different ACEs in the ACL. That is:
• To deny hosts in the range of 31-255 in the fourth octet, it is necessary
to use an ACE that specifies the leftmost four bits of the octet.
• To permit hosts in the range of 1-30 in the fourth octet, it is necessary
to use and ACE that specifies the rightmost five bits of the octet.
1
The overlap can be illustrated as shown here:
Bit Values in the Fourth Octet
Bits Needed To Deny Hosts 31 - 255
(4th Octet Mask: 0.0.0.224)
Bits Needed To Permit Hosts 1 - 30
(4th Octet Mask: 0.0.0.31)
1
For more on this topic, refer to "Rules for Defining a Match Between a Packet
and an Access Control Entry (ACE)" on page 9-28, and "Using CIDR Notation
To Enter the ACL Mask" on page 9-39.
The overlap on the "16" bit means that it is necessary for the ACL to deny
the host at 10.10.11.31 before permitting the hosts in the range of
10.10.10.1 - 30. The complete sequence is:
1. Permit all inbound traffic from 10.10.10.x.
2. Permit all inbound traffic from 10.10.12.x.
3. Deny the host at 10.10.11.31.
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
128 64 32 16 8 4 2 1
9-21