IPv4 Access Control Lists (ACLs)
Configuring Extended ACLs
SA Mask Application: The mask is applied to the SA in the
ACL to define which bits in a packet’s source SA must exactly
match the address configured in the ACL and which bits need
not match.
Example: and both
define any IP address in the range of 10.10.10.(1-255).
Note: Specifying a group of contiguous IPv4 addresses may
require more than one ACE. For more on how masks operate
in ACLs, refer to “How an ACE Uses a Mask To Screen Packets
for Matches” on page 9-28.
< any | host < DA > | DA/mask-length >
This is the second instance of addressing in an extended
ACE. It follows the first (SA) instance, described earlier,
and defines the destination address (DA) that a packet must
carry in order to have a match with the ACE. The options
are the same as shown for < SA >.
• any — Allows routed IPv4 packets to any DA.
• host < DA > — Specifies only the packets having DA as the
destination address. Use this criterion when you want
to match only the IPv4 packets for a single DA.
• DA/mask-length or DA < mask > — Specifies packets
intended for a destination address, where the address is
either a subnet or a group of IPv4 addresses. The mask
format can be in either dotted-decimal format or CIDR
format (number of significant bits). Refer to “Using
CIDR Notation To Enter the IPv4 ACL Mask” on page
DA Mask Application: The mask is applied to the DA in
the ACL to define which bits in a packet’s DA must exactly
match the DA configured in the ACL and which bits need
not match. See also the above example and note.