Access Control Lists
3-61
3
Web – Configure the mask to match the required rules in the IP ingress or egress
ACLs. Set the mask to check for any source or destination address, a specific host
address, or an address range. Include other criteria to search for in the rules, such
as a protocol type or one of the service types. Or use a bitmask to search for specific
protocol port(s) or TCP control code(s). Then click Add.
Figure3-36 ACL Mask Configuration - IP
CLI – This shows that the entries in the mask override the precedence in which the
rules are entered into the ACL. In the following example, packets with the source
address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule
has the higher precedence according the “mask host any” entry.
Console(config)#access-list ip standard A2 4-88
Console(config-std-acl)#permit 10.1.1.0 255.255.255.0 4-89
Console(config-std-acl)#deny 10.1.1.1 255.255.255.255
Console(config-std-acl)#exit
Console(config)#access-list ip mask-precedence in 4-92
Console(config-ip-mask-acl)#mask host any 4-93
Console(config-ip-mask-acl)#mask 255.255.255.0 any
Console(config-ip-mask-acl)#