What is the difference between network (or subnet) masks and the masks used with ACLs?
Address |
Mask |
Network address |
Host address |
---|---|---|---|
10.38.252.195 |
255.255.255.0 |
first three octets |
The fourth octet. |
10.38.252.195 |
255.255.248.0 |
first two octets and the left- most five bits of the third octet |
The right most three bits of the third octet and all bits in the fourth octet. |
Thus, the bits set to 1 in a network mask define the part of an IPv4 address to use for the network number, and the bits set to 0 in the mask define the part of the address to use for the host number.
In an ACL, IPv4 addresses and masks provide criteria for determining whether to deny or permit a packet, or to pass it to the next ACE in the list. If there is a match, the configured deny or permit action occurs. If there is not a match, the packet is compared with the next ACE in the ACL. Thus, where a standard network mask defines how to identify the network and host numbers in an IPv4 address, the mask used with ACEs defines which bits in a packet's SA or DA must match the corresponding bits in the SA or DA listed in an ACE, and which bits can be wildcards.