How IPv4 mask bit settings define a match (Example)

The following configuration exists:
  • A match statement in a class configuration uses an IPv4 source-address/mask-length of 10.38.31.125/21. The mask-length of 21 results in an IPv4 mask of 0.0.7.255. In the second octet of the mask, 7 means that the rightmost three bits are on or 1.

  • The second octet of the corresponding source address is 31, which means that the rightmost five bits are on or 1.

A match occurs when the second octet of the SA in a packet being classified has a value in the range of 24 (binary 00011000) to 31 (binary 00001111), as shown in the last row in the following table.

Table 30: How IPv4 mask defines a match

Location of octet

Bit position in the octet

 

128

64

32

16

8

4

2

1

SA in match statement

0

0

0

1

1

1

1

1

Mask for SA

0

0

0

0

0

1

1

1

Bits in the corresponding octetof a packet's SA that must exactly match

0

0

0

1

1

0/1

0/1

0/1

The shaded area indicates the bits in the packet that must exactly match the bits in the source IPv4 address in the match/ignore statement.
  • If a mask bit is 1 (wildcard value), the corresponding bits in a source/destination address in an IPv4 packet header can be any value.

  • If a mask bit is 0, the corresponding bits in a source/destination address must be the same value as in the IPv4 address in the match/ignore statement.

NOTE:

Only one octet in an IPv4 address is used as a match criterion. The mask in a match/ignore statement may apply a packet filter to all four octets of a source/destination address in IPv4 packet headers.

How IPv6 mask bit settings define a match

For an example in which an IPv6 prefix-length of 126 is used to select four IPv6 addresses in a match statement, see the following figure. The specified source IPv6 address is: 2001:DB8:0000:0000:244:17FF:FEB6:D37D. The IPv6 prefix-length (/126) results in the IPv6 mask: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC.
Figure 60: Mask for matching four IPv6 devices
To see the on and off settings in the last block of the resulting IPv6 mask that determine the matching IPv6 addresses, see the preceding figure. In this mask, all bits except the last two are set to 1 (on) and must be the same in an IPv6 address. The binary equivalent of hexadecimal C is 1100, which allows the last two bits to differ.
Figure 61: How a mask determines four authorized IPv6 manager addresses
To see how the binary equivalent (1100) of the C value in the last block of the resulting IPv6 mask supports four possible combinations (D37C, D37D, D37E, and D37F) in the last block of a matching IPv6 address, see the following figure. Therefore, the IPv6 mask that results from a /126 prefix-length matches inbound traffic from four IPv6-based devices.
Figure 62: How hexadecimal C in an IPv6 mask matches four IPv6 addresses
For more detailed information on how to use CIDR notation to specify masks in match criteria, see the ArubaOS-Switch Access Security Guide.