Some general properties of access lists

sumon_ahsan  Diamond  (1)
6 years 7 months ago  View: 1096  Reply: 0

At this point, it is useful to note the similarities and differences between the standard access 
list and the extended access list. While an extended access list entry matches against two IP 
addresses as opposed to one IP address for the standard access list, both match each IP 
address against an IP address and wildcard masks combination in exactly the same way. 
Another syntactic difference is that masks of are not optional with extended access 
lists. Remember that a router assumes a mask of, meaning to match the address 
exactly if a standard access list entry leaves off a mask from an IP address. Even with the 
standard access list use of an implied mask, IP address and mask matching is the same for 
both kinds of lists.

Another common feature of standard and extended access lists is that both have an implicit deny at the end. Thus we could have rewritten our access list 101 as:

access-list 101 permit tcp eq 80

access-list 101 permit tcp eq 443

The final access list entry that denied all other IP traffic to the web server is redundant.

IP address and wildcard mask matching and the implicit deny are common to all Cisco access list structures and are important concepts in understanding access lists. Other access list structures that well see later on use the same concepts.