How IPv4 mask bit settings define a match (Example)
A match statement in a class configuration uses an IPv4 source-address/mask-length of 10.38.31.125/21. The mask-length of 21 results in an IPv4 mask of 0.0.7.255. In the second octet of the mask, 7 means that the rightmost three bits are on or 1.
The second octet of the corresponding source address is 31, which means that the rightmost five bits are on or 1.
A match occurs when the second octet of the SA in a packet being classified has a value in the range of 24 (binary 00011000) to 31 (binary 00001111), as shown in the last row in the following table.
Location of octet |
Bit position in the octet |
|||||||
---|---|---|---|---|---|---|---|---|
128 |
64 |
32 |
16 |
8 |
4 |
2 |
1 |
|
SA in match statement |
0 |
0 |
0 |
1 |
1 |
1 |
1 |
1 |
Mask for SA |
0 |
0 |
0 |
0 |
0 |
1 |
1 |
1 |
Bits in the corresponding octetof a packet's SA that must exactly match |
0 |
0 |
0 |
1 |
1 |
0/1 |
0/1 |
0/1 |
The shaded area indicates the bits in the packet that must exactly match the bits in the source IPv4 address in the match/ignore statement.
NOTE:
Only one octet in an IPv4 address is used as a match criterion. The mask in a match/ignore statement may apply a packet filter to all four octets of a source/destination address in IPv4 packet headers. |
How IPv6 mask bit settings define a match
2001:DB8:0000:0000:244:17FF:FEB6:D37D
. The IPv6 prefix-length (/126) results in the IPv6 mask:
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC
.
To see the on and off settings in the last block of the resulting IPv6 mask that determine the matching IPv6 addresses, see the preceding figure. In this mask, all bits except the last two are set to 1 (on) and must be the same in an IPv6 address. The binary equivalent of hexadecimal
C
is 1100, which allows the last two bits to differ.