Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

How to paste subnet in ACL configuration

nandoin
Occasional Contributor

How to paste subnet in ACL configuration

Hello everyone!

I'm having troubles when going to configure ACLs in Switch 1920 and 5120.

E.g: I need to apply an ACL like this:

rule permit ip source (192.168.50.128/28 - 255.255.255.240) destination any

how do I write the subnet in the correct format? I know /24 is written this way 0.0.0.255 and how /30 /29 /28 /27 are written?

 

Thanks!

2 REPLIES
network_king
Occasional Advisor

Re: How to paste subnet in ACL configuration

Please use below table

 

List of Wildcard Mask

 

CIDR  Subnet mask   Wild card Mask
 /32  255.255.255.255   0.0.0.0

/31  255.255.255.254   0.0.0.1

/30  255.255.255.252   0.0.0.3

/29  255.255.255.248   0.0.0.7

/28  255.255.255.240   0.0.0.15

/27  255.255.255.224   0.0.0.31

/26  255.255.255.192   0.0.0.63

/25  255.255.255.128   0.0.0.127

/24  255.255.255.0   0.0.0.255

 

ACL syntax : [HP-acl-xxx-XXXX] rule 5 permit ip source <ip_add> <wildcard_mask>  destination <ip_add> <wildcard_mask>

dcatcha
Occasional Visitor

Re: How to paste subnet in ACL configuration

It is not the same with an HP ACL see page 8 https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03187008

from guide:

A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal

notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the

1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits

in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s

and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.

 

I would expect it to be written

permit ip source 192.168.1.0 0.0.0.255 destination any                          = /24
permit ip source 192.0.0.0 255.0.0.0 destination any                               = /28

 

The numbers after the IP are match criteria 0= match 255 = could be anything.