Examples allowing multiple IPv4 addresses

The following tables provide examples of how to apply masks to meet various filtering requirements.

Table 14: Using an IP address and mask in an ACE

Address in the ACE

Mask

Policy for a match between a packet and the ACE

Allowed addresses

A: 10.38.252.195

0.0.0.255

Exact match in first three octets only.

10.38.252.<0-255>

(See row A in the following table.)

B: 10.38.252.195

0.0.7.255

Exact match in the first two octets and the leftmost five bits (248) of the third octet.

10.38.<248-255>.<0-255>

(In the third octet, only the rightmost three bits are wildcard bits. The leftmost five bits must be a match, and in the ACE, these bits are all set to 1. See row B in the following table.)

C: 10.38.252.195

0.0.0.0

Exact match in all octets.

10.38.252.195

(There are no wildcard bits in any of the octets. See row C in the following table.)

D: 10.38.252.195

0.15.255.255

Exact match in the first octet and the leftmost four bits of the second octet.

10.<32-47> .<0-255> .<0-255>

(In the second octet, the rightmost four bits are wildcard bits. See row D in the following table.)

Table 15: Mask effect on selected octets of the IPv4 addresses in Using an IP address and mask in an ACE

Addr

Octet

Mask

Octet range

128

64

32

16

8

4

2

1

A

3

0 all bits

252

1

1

1

1

1

1

0

0

B

3

7 last 3 bits

248-255

1

1

1

1

1

0 or 1

0 or 1

0 or 1

C

4

0 all bits

195

1

1

0

0

0

0

1

1

D

2

15 last 4 bits

32-47

0

0

1

0

0 or 1

0 or 1

0 or 1

0 or 1

All bit settings in this table must be an exact match.

If there is a match between the policy in the ACE and the IPv4 address in a packet, the packet is either permitted or denied according to how the ACE is configured. If there is no match, the next ACE in the ACL is applied to the packet. The same operation applies to a destination IPv4 address used in an extended ACE.

Where an ACE includes both source and destination addresses, there is one address/ACL-mask pair for the source address, and another address/ACL-mask pair for the destination address.