Example of how the mask bit settings define a match

Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are "on", or "1") and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits). In this case, a match occurs when the second octet of the SA in a packet being filtered has a value in the range of 24 to 31.

How the mask defines a match

Location of octet

Bit position in the octet

 

128

64

32

16

8

4

2

1

SA in ACE

0

0

0

1

1

1

1

1

Mask for SA

0

0

0

0

0

1

1

1

Corresponding Octet of a Packet's SA

0

0

0

1

1

0/1

0/1

0/1

The shaded area indicates bits in the packet that must exactly match the bits in the source address in the ACE. Wherever the mask bits are ones (wildcards), the corresponding address bits in the packet can be any value, and where the mask bits are zeros, the corresponding address bits in the packet must be the same as those in the ACE. Note: This example covers only one octet of an IPv4 address. An actual ACE applies this method to all four octets of the address.

Example of allowing only one IPv4 address ("host" option)

Suppose, for example, that you have configured an ACL to filter inbound packets on VLAN 20. Because the mask is all zeros, the ACE policy dictates that a match occurs only when the source address on such packets is identical to the address configured in the ACE.

An ACL with an ACE that allows only one source address

Examples allowing multiple IPv4 addresses

The following table provides examples of how to apply masks to meet various filtering requirements.

Using an IP Address and Inverse Mask in an Access Control Entry

Address in the ACE

Mask

Policy for a match between a packet and the ACE

Allowed addresses

A: 10.38.252.195

0.0.0.255

Exact match in first three octets only.

10.38.252.<0-255>

B: 10.38.252.195

0.0.7.255

Exact match in the first two octets and the leftmost five bits (248) of the third octet.

10.38.<248-255> .<0-255>(In the third octet, only the rightmost three bits are wildcard bits. The leftmost five bits must be a match, and in the ACE, these bits are all set to 1.)

C: 10.38.252.195

0.0.0.0

Exact match in all octets.

10.38.252.195(There are no wildcard bits in any of the octets.

D: 10.38.252.195

0.15.255.255

Exact match in the first octet and the leftmost four bits of the second octet.

10.<32-47> .<0-255> .<0-255>(In the second octet, the rightmost four bits are wildcard bits.)

Mask effect on selected octets of the IPv4 addresses in Using an IP Address and Inverse Mask in an Access Control Entry

Addr

Octet

Mask

Octet range

128

64

32

16

8

4

2

1

A

3

0 all bits

252

1

1

1

1

1

1

0

0

B

3

7 last 3 bits

248-255

1

1

1

1

1

0 or 1

0 or 1

0 or 1

C

4

0 all bits

195

1

1

0

0

0

0

1

1

D

2

15 last 4 bits

32-47

0

0

1

0

0 or 1

0 or 1

0 or 1

0 or 1

Shaded areas indicate bit settings that must be an exact match.

If there is a match between the policy in the ACE and the IPv4 address in a packet, the packet is either permitted or denied according to how the ACE is configured. If there is no match, the next ACE in the ACL is applied to the packet. The same operation applies to a destination IPv4 address used in an extended ACE.

Where an ACE includes both source and destination addresses, there is one address/ACL-mask pair for the source address, and another address/ACL-mask pair for the destination address. See Configuring named, standard ACLs.