|
Implicit masks are masks that are
implied based on the current mask set. They reduce typing and
simplify configuration. For example, if you permit one, it is
implied that you deny all others.
The main figure shows three examples of implicit masks. The first
line is an example of a specific host configuration. For standard
access lists, if no mask is specified, the mask is assumed to be
0.0.0.0. The implicit mask makes it easier to enter a large number
of individual addresses. When the symbolic name any is used,
the mask 255.255.255.255 is implied.
Common errors are found in the following other access-list lines:
- The second line --- Permit 0.0.0.0 would exactly match the
address 0.0.0.0 and then permit it. In most cases, this address
is illegal, so this list would prevent all traffic from getting
through (the implicit deny any).
- The third line --- Permit 131.108.0.0 is probably a
configuration error. The intention is probably 131.108.0.0
0.0.255.255. The exact address, 131.108.0.0, is reserved to
refer to the network and would never be assigned to a host.
Networks and subnets are represented by explicit masks. As a
result, nothing would get through with this list, again because
of the implicit
deny any.
When a packet does not match any of the configured lines in an
access list, the packet is denied by default because there is an
invisible statement at the end of the access list that is equivalent to
deny
any. Denying any is the same as configuring 0.0.0.0
255.255.255.255, so the last two lines are not needed. Although not necessary,
you may still want to add one of these entries for documentation
purposes.
|
|