|
Both standard and extended IP access
lists use a wildcard mask. Like an IP address, a wildcard mask
is a 32-bit quantity written in dotted-decimal format. Address bits
corresponding to wildcard mask bits set to 1 are ignored in
comparisons; address bits corresponding to wildcard mask bits set to
0 are used in comparisons. This may feel quite backwards from the
operation used in subnet masking (see the main figure).
An alternative way to think of the wildcard mask is as follows:
- If a 0 bit appears in the mask, the corresponding bit location
in the access-list address and packet
address must match (either both 0 or both 1).
- If a 1 bit appears in the mask, the bit location in the packet
will match whether it is 0 or 1, and the bit location in the
access-list address is ignored. For this reason, 1 bits in the
mask are sometimes called "don't care" bits.
Since an access list is a sequential list of
"access-list" entries, not just one entry, it can contain an indefinite number of actual
address and
wildcard bit sets. Remember
that the order of the access list statements is important because
the access list is no longer processed after a match is found.
|
|