Configure address masks in ACLs on S series switches

7

For S series switches (except S1700 switches):
An address mask must be specified when a source IP address or destination IP address is configured in an ACL rule. The address mask is the wildcard.
In a binary wildcard, the value 0 indicates that this bit needs to be matched and the value 1 indicates that this bit does not need to be matched. 0s and 1s in a wildcard can be discontinuous.
For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent address 192.168.1.x0x0xx01. x can be 0 or 1.

Other related questions:
ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

How to configure the mask of an ACL on a WLAN device
For WLAN devices, masks (wildcards) must be specified for the source and destination IP addresses in ACL rules. The wildcard is in dotted decimal notation. In a binary wildcard, the value 0 indicates that this bit needs to be matched and the value 1 indicates that this bit does not need to be matched. 0s and 1s in a wildcard can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent address 192.168.1.x0x0xx01. x can be 0 or 1.

A fault occurs on an S series switch when the network IP address/mask and host IP address/mask are configured. Why
Question: Why a fault occurs when I configure the network IP address/mask and host IP address/mask? Answer: You may solve the problem as follows: Ensure that the host is a part of the same network and the mask is correct. Ensure that the IP address and mask of the host can be combined to a network IP address. Ensure that the IP address of the host is unique on the network. Ensure that the IP address of the network is unique in the area.

Configuring reverse masks for ACLs on the USG2000 and USG5000 series
Write out a mask with 0 and 1 and perform a reverse operation.

Method used to configure the mask in the ACL on the AR
Masks in ACL rules configured on the AR series routers and S series switches are wildcard masks. The wildcard mask is also called wildcard and is in dotted decimal notation. When the wildcard is converted to a binary value, the value 0 indicates that the bit is matched and the value 1 indicates that the bit is not matched. The value 0 or l of a binary value can be incontiguous. For example, the IP address is 192.168.1.169 and the wildcard is 0.0.0.172, representing that the network address is 192.168.1.x0x0xx01. The value of x can be 0 or 1.
Example:  system-view
[Huawei] acl number 2000
[Huawei-acl-basic-2000] rule permit source 192.168.32.1 0 //Permit only a specific IP address, with the wildcard mask of 0.0.0.0 that is abbreviated as 0.
[Huawei-acl-basic-2000] rule permit source 192.168.32.0 0.0.0.255 //Permit a network segment (mask 255.255.255.0), with the wildcard mask of 0.0.0.255. The wildcard mask is used in an ACL.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top