Rules for defining a match between a packet and an access control entry (ACE)

  • For a given ACE, when the switch compares an IPv4 address and corresponding mask in the ACE to an IPv4 address carried in a packet:
    • A mask-bit setting of 0 ("off") requires that the corresponding bits in the packet's address and in the ACE's address must be the same. Thus, if a bit in the ACE's address is set to 1 ("on"), the same bit in the packet's address must also be 1.

    • A mask-bit setting of 1 ("on") means the corresponding bits in the packet's address and in the ACE's address do not have to be the same. Thus, if a bit in the ACE's address is set to 1, the same bit in the packet's address can be either 1 or 0 ("on" or "off").

    For an example, see Example of how the mask bit settings define a match.
  • In any ACE, a mask of all ones means any IPv4 address is a match. Conversely, a mask of all zeros means the only match is an IPv4 address identical to the host address specified in the ACE.

  • Depending on your network, a single ACE that allows a match with more than one source or destination IPv4 address may allow a match with multiple subnets. For example, in a network with a prefix of 31.30.240 and a subnet mask of 255.255.240.0 (the leftmost 20 bits), applying an ACL mask of 0.0.31.255 causes the subnet mask and the ACL mask to overlap one bit, which allows matches with hosts in two subnets: 31.30.224.0 and 31.30.240.0.

    Bit Position in the Third Octet of Subnet Mask 255.255.240.0

    Bit Values

    128

    64

    32

    16

    8

    4

    2

    1

    Subnet Mask Bits

    1

    1

    1

    1

    n/a

    n/a

    n/a

    n/a

    Mask Bit Settings Affecting Subnet Addresses

    0

    0

    0

    1 or 0

    n/a

    n/a

    n/a

    n/a

    This ACL supernetting technique can help to reduce the number of ACLs you need. You can apply it to a multinet VLAN and to multiple VLANs. However, ensure that you exclude subnets that do not belong in the policy. If this creates a problem for your network, you can eliminate the unwanted match by making the ACEs in your ACL as specific as possible, and using multiple ACEs carefully ordered to eliminate unwanted matches.
  • Every IPv4 address and mask pair (source or destination) used in an ACE creates one of the following policies:
    • Any IPv4 address fits the matching criteria. In this case, the switch automatically enters the address and mask in the ACE. For example: access-list 1 deny any produces this policy in an ACL listing:

      Address

      Mask

      0.0.0.0

      255.255.255.255

      This policy states that every bit in every octet of a packet's SA is a wildcard, which covers any IPv4 address.
    • One IPv4 address fits the matching criteria.

    In this case, you provide the address and the switch provides the mask. For example: access-list 1 permit host 10.28.100.15 produces this policy in an ACL listing:

    Address

    Mask

    10.28.100.15

    0.0.0.0

    This policy states that every bit in every octet of a packet's SA must be the same as the corresponding bit in the SA defined in the ACE.
    • A group of IPv4 addresses fits the matching criteria

    In this case you provide both the address and the mask. For example: access-list 1 permit 10.28.32.1 0.0.0.31

    Address

    Mask

    10.28.32.1

    0.0.0.31

    This policy states that:
    • In the first three octets of a packet's SA, every bit must be set the same as the corresponding bit in the SA defined in the ACE.

    • In the last octet of a packet's SA, the first three bits must be the same as in the ACE, but the last five bits are wildcards and can be any value.

  • Unlike subnet masks, the wildcard bits in an ACL mask need not be contiguous. For example, 0.0.7.31 is a valid ACL mask. However, a subnet mask of 255.255.248.224 is not a valid subnet mask.