10.2 Configuring IP Standard Access Lists
10.2.6 Implicit masks
Implicit masks are masks that are implied based on the current mask set. They reduce typing and simplify configuration. For example, if you permit one, it is implied that you deny all others.

The main figure shows three examples of implicit masks. The first line is an example of a specific host configuration. For standard access lists, if no mask is specified, the mask is assumed to be 0.0.0.0. The implicit mask makes it easier to enter a large number of individual addresses. When the symbolic name any is used, the mask 255.255.255.255 is implied.

Common errors are found in the following other access-list lines:

  • The second line --- Permit 0.0.0.0 would exactly match the address 0.0.0.0 and then permit it. In most cases, this address is illegal, so this list would prevent all traffic from getting through (the implicit deny any).
  • The third line --- Permit 131.108.0.0 is probably a configuration error. The intention is probably 131.108.0.0 0.0.255.255. The exact address, 131.108.0.0, is reserved to refer to the network and would never be assigned to a host. Networks and subnets are represented by explicit masks. As a result, nothing would get through with this list, again because of the implicit deny any.

When a packet does not match any of the configured lines in an access list, the packet is denied by default because there is an invisible statement at the end of the access list that is equivalent to deny any. Denying any is the same as configuring 0.0.0.0 255.255.255.255, so the last two lines are not needed. Although not necessary, you may still want to add one of these entries for documentation purposes.