KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

321

322

323

324

325

326

327

328

329

330

Example 11 Examples allowing multiple IPv4 addresses

The following table provides examples of how to apply masks to meet various filtering requirements.

Table 31 Using an IP Address and Inverse Mask in an Access Control Entry

Allowed addressesPolicy for a match between

a packet and the ACE

MaskAddress in the

ACE

10.38.252.< 0-255 >

(See row A in “Mask effect on selected octets of the

IPv4 addresses in Table 31 (page 326)” (page 326))

Exact match in first three

octets only.

0.0.0.255A:

10.38.252.195

10.38.< 248-255 > .< 0-255 >

(In the third octet, only the rightmost three bits are

wildcard bits. The leftmost five bits must be a match,

and in the ACE, these bits are all set to 1. See row B

in “Mask effect on selected octets of the IPv4 addresses

in Table 31 (page 326)” (page 326).

Exact match in the first two

octets and the leftmost five

bits (248) of the third octet.

0.0.7.255B:

10.38.252.195

(There are no wildcard bits in any of the octets. See

row C in “Mask effect on selected octets of the IPv4

addresses in Table 31 (page 326)” (page 326).)

Exact match in all octets.0.0.0.0C:

10.38.252.195

10.< 32-47 > .< 0-255 > .<0-255>

(In the second octet, the rightmost four bits are

wildcard bits. See row D in “Mask effect on selected

octets of the IPv4 addresses in Table 31 (page 326)”

(page 326).)

Exact match in the first

octet and the leftmost four

bits of the second octet.

0.15.255.255D:

10.38.252.195

Table 32 Mask effect on selected octets of the IPv4 addresses in Table 31 (page 326)

1248163264128Octet

range

MaskOctetAddr

001111112520 all bits3A

0 or 10 or 10 or 111111248-2557 last 3

bits

110000111950 all bits4C

0 or 10 or 10 or 10 or 1010032-4715 last 4

bits

Shaded areas indicate bit settings that must be an exact match.

If there is a match between the policy in the ACE and the IPv4 address in a packet, the packet is

either permitted or denied according to how the ACE is configured. If there is no match, the next

ACE in the ACL is applied to the packet. The same operation applies to a destination IPv4 address

used in an extended ACE.

Where an ACE includes both source and destination addresses, there is one address/ACL-mask

pair for the source address, and another address/ACL-mask pair for the destination address. See

“Configuring named, standard ACLs” (page 259).

Using CIDR notation to enter the IPv4 ACL mask

Use CIDR notation to enter ACL masks. The switch interprets the bits specified with CIDR notation

as the address bits in an ACL and the corresponding address bits in a packet that must match. The

switch then converts the mask to inverse notation for ACL use.

326 IPv4 Access Control Lists (ACLs)