KB.15.15

Defines the source IPv4 address (SA) a packet must carry for a match with the ACE.

• any

Allows IPv4 packets from any SA.

• host <SA>

Specifies only packets having <SA> as the source. Use this criterion when you

want to match the IPv4 packets from a single source address.

• SA <mask> or SA /mask–length

Specifies packets received from either a subnet or a group of IPv4 addresses.

The mask format can be in either dotted-decimal format or CIDR format (number

of significant bits). See “How an ACE uses a mask to screen packets for

matches” (page 322).

• Mask Application

The mask is applied to the IPv4 address in the ACE to define which bits in a

packet's SA must exactly match the SA configured in the ACE and which bits

need not match. For example: 10.10.10.1/24 and 10.10.10.1

0.0.0.255 both define any address in the range of 10.10.10.(1 - 255).

NOTE: Specifying a group of contiguous addresses may require more than

one ACE. For more on how masks operate, see “How an ACE uses a mask to

screen packets for matches” (page 322).

• [log]

This option generates an ACL log message if:

• The action is deny.

• There is a match.

• ACL logging is enabled on the switch. See “Enabling ACL logging on the

switch” (page 294) for more details.

• Use the debug command to direct ACL logging output to the current console

session and/or to a Syslog server. Note that you must also use the

logging < ip-addr >command to specify the addresses of Syslog

servers to which you want log messages sent. See also “Enabling ACL

logging on the switch” (page 294).

Example

This example creates an ACL that:

• permits IPv4 traffic from a host with the address of 10.10.10.104

• creates another ACE that blocks all other IPv4 traffic from the same subnet

• allows all other IPv4 traffic.

Figure 181 Commands used to create a standard, named ACL

260 IPv4 Access Control Lists (ACLs)