Example of how the mask bit settings define a match

Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are "on", or "1") and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits). In this case, a match occurs when the second octet of the SA in a packet being filtered has a value in the range of 24 to 31.

How the mask defines a match

Location of octet

Bit position in the octet

 

128

64

32

16

8

4

2

SA in ACE

0

0

0

1

1

1

1

Mask for SA

0

0

0

0

0

1

1

Corresponding Octet of a Packet's SA

0*

0*

0*

1*

1*

0/1

0/1

* Indicates that the bits in the packet must exactly match the bits in the source address in the ACE. Wherever the mask bits are zeros, the bit in the packet must exactly match must exactly match the corresponding bit in the source address in the ACE. Wherever the mask bits are ones (wildcards), the corresponding address bits in the packet can be any value.

NOTE:

This example covers only one octet of an IPv4 address. An actual ACE applies this method to all four octets of the address.