diff --git a/security/access_control.rst b/security/access_control.rst
index 2bbedd6781b..1f9bd15eacc 100644
--- a/security/access_control.rst
+++ b/security/access_control.rst
@@ -23,7 +23,7 @@ access control should be used on this request. The following ``access_control``
 options are used for matching:
 
 * ``path``
-* ``ip`` or ``ips``
+* ``ip`` or ``ips`` (netmask is supported)
 * ``host``
 * ``methods``
 
@@ -176,7 +176,7 @@ pattern so that it is only accessible by requests from the local server itself:
             # ...
             access_control:
                 #
-                - { path: ^/internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1] }
+                - { path: ^/internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1, 192.168.0.1/24] }
                 - { path: ^/internal, roles: ROLE_NO_ACCESS }
 
     .. code-block:: xml
@@ -193,7 +193,7 @@ pattern so that it is only accessible by requests from the local server itself:
                 <!-- ... -->
                 <rule path="^/internal"
                     role="IS_AUTHENTICATED_ANONYMOUSLY"
-                    ips="127.0.0.1, ::1"
+                    ips="127.0.0.1, ::1, 192.168.0.1/24"
                 />
 
                 <rule path="^/internal" role="ROLE_NO_ACCESS" />
@@ -209,7 +209,7 @@ pattern so that it is only accessible by requests from the local server itself:
                 array(
                     'path' => '^/internal',
                     'role' => 'IS_AUTHENTICATED_ANONYMOUSLY',
-                    'ips' => '127.0.0.1, ::1',
+                    'ips' => '127.0.0.1, ::1, 192.168.0.1/24',
                 ),
                 array(
                     'path' => '^/internal',
@@ -239,6 +239,8 @@ address):
 
 * The second access rule is not examined as the first rule matched.
 
+IP netmask is supported. You can write ``ip`` or ``ips`` with ``192.168.0.1/24`` or ``192.168.0.1/32``.
+
 .. _security-allow-if:
 
 Securing by an Expression