Rules For Defining A Match Between A Packet And An Access Control Entry (Ace) - HP ProCurve 6120G/XG Manual
Hp procurve series 6120 blade switches access security guide
Hide thumbs
Also See for ProCurve 6120G/XG:
- Configuration manual (662 pages) ,
- Manual (469 pages) ,
- Management manual (222 pages)
Table of Contents
Advertisement
IPv4 Access Control Lists (ACLs)
Traffic Management and Improved Network Performance
Rules for Defining a Match Between a Packet and an
Access Control Entry (ACE)
■
■
■
9-28
For a given ACE, when the switch compares an IP address and
corresponding mask in the ACE to an IP address carried in a packet:
•
A mask-bit setting of 0 ("off") requires that the corresponding bit
in the packet's IP address and in the ACE's IP address must be the
same. That is, if a bit in the ACE's IP address is set to 1 ("on"), the
same bit in the packet's IP address must also be 1.
•
A mask-bit setting of 1 ("on") means the corresponding bit in the
packet's IP address and in the ACE's IP address do not have to be the
same. That is, if a bit in the ACE's IP address is set to 1, the same bit
in the packet's IP address can be either 1 or 0 ("on" or "off").
For an example, refer to "Example of How the Mask Bit Settings Define
a Match" on page 9-30.
In any ACE, a mask of all ones means any IP address is a match.
Conversely, a mask of all zeros means the only match is an IP address
identical to the host IP address specified in the ACL.
Depending on your network, a single ACE that allows a match with
more than one source or destination IP address may allow a match
with multiple subnets For example, in a network with a prefix of
31.30.240 and a subnet mask of 255.255.240.0 (the leftmost 20 bits),
applying an ACL mask of 0.0.31.255 causes the subnet mask and the
ACL mask to overlap one bit, which allows matches with hosts in two
subnets: 31.30.224.0 and 31.30.240.0.
Bit Position in the Third Octet of Subnet Mask 255.255.240.0
Bit Values
Subnet Mask Bits
Mask Bit Settings Affecting
Subnet Addresses
This ACL supernetting technique can help to reduce the number of ACLs
you need. You can apply it to a multinetted VLAN and to multiple VLANs.
However, ensure that you exclude subnets that do not belong in the policy.
If this creates a problem for your network, you can eliminate the
unwanted match by making the ACEs in your ACL as specific as possible,
and using multiple ACEs carefully ordered to eliminate unwanted
matches.
128
64
32
16
1
1
1
1
n/a
0
0
0
1 or 0
n/a
8
4
2
1
n/a
n/a
n/a
n/a
n/a
n/a
Hide quick links:
Advertisement
Table of Contents
