Some general properties of access lists

[复制链接]
sumon_ahsan   钻石会员    发表于 2014-5-31 20:10:18   最新回复:2014-05-31 20:10:18

At this point, it is useful to note the similarities and differences between the standard access 
list and the extended access list. While an extended access list entry matches against two IP 
addresses as opposed to one IP address for the standard access list, both match each IP 
address against an IP address and wildcard masks combination in exactly the same way. 
Another syntactic difference is that masks of 0.0.0.0 are not optional with extended access 
lists. Remember that a router assumes a mask of 0.0.0.0, meaning to match the address 
exactly if a standard access list entry leaves off a mask from an IP address. Even with the 
standard access list use of an implied mask, IP address and mask matching is the same for 
both kinds of lists.

Another common feature of standard and extended access lists is that both have an implicit deny at the end. Thus we could have rewritten our access list 101 as:

access-list 101 permit tcp 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0 eq 80

access-list 101 permit tcp 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0 eq 443


The final access list entry that denied all other IP traffic to the web server is redundant.


IP address and wildcard mask matching and the implicit deny are common to all Cisco access list structures and are important concepts in understanding access lists. Other access list structures that well see later on use the same concepts. 

跳转到指定楼层
快速回复 返回顶部