When the Gateway ANDs the mask with the IP, the result acts as an 8-bit filter that tests the IP source addresses s of incoming logons.
The mask tells the filter which part of an IP address or range is important, and to what extent it must test an incoming IP address against IP restrictions in the allow and deny elements. If an element does not define a mask, the masking defers to the value 255.255.255.255, meaning that the incoming IP must match the filter IP exactly or the filter has no effect.
In the example Example: Allow IP, the mask uses the value 255 in the first three decimal-separated segments (24 bits) to instruct the filter to consider the entire value of each of the corresponding segments of the IP. The segments are binary, and the 8 bits represent (from right to left) the first eight values in the binary sequence, 1, 2, 4, 8, 16, 32, 64, and 128, for a total value of 255.
To consider only part of a binary IP string, you can use a mask similar to:
The gateway applies the masking values to the binary string from right to left. A value of 192 means that the mask considers the 2 left positions of the third binary segment, 128 and 64, which total 192.
You can also use an alternate form of masking that expresses the mask as the number of binary bits (from left to right in the binary string) that the restriction must consider. Using the bit method, the 255.255.255.0”/> becomes 24”/>, or 3 decimal-separated, 8-bit segments.