background image
462 Chapter 7: Understanding Access List Security
The two diamond-shaped symbols in Figure 7-2 represent the application of the logic of an
access-list. That logic can be summarized as follows:
Step 1
The matching parameters of the first access list statement are
compared to the packet.
Step 2
If a match is made, the action defined in this access list statement
(permit or deny) is performed, as shown in Figure 7-2.
Step 3
If a match is not made in Step 2, then Steps 1 and 2 are repeated
using the next sequential access list statement.
Step 4
If no match is made with an entry in the access list, the deny action
is performed.
The logic for access lists is true whether using standard or extended access lists; the only
difference between the two types is in what constitutes a match. The following sections on
standard IP access lists, extended IP access lists, and named IP access lists outline these
differences.
Standard IP Access Lists
Standard access lists can match only by examining the source IP address field in the packet's IP
header. Any bit positions in the 32-bit source IP address can be compared to the access list
statements; for example, a subnet number can be checked. However, the matching is flexible
and does not consider the subnet mask in use; it is just a math problem!
A wildcard mask defines the subset of the 32 bits in the IP address that must be matched. As a
CCNA, you will be required to fully understand the use of the wildcard mask to match a subset
of an IP address. Matching is performed by comparing an access-list command address
parameter and the packet's source IP address. Mask bits of value binary 0 imply that the same
bit positions must be compared in the two IP addresses. Mask bits of value binary 1 are
wildcards; the corresponding bit positions in the addresses are considered to match, regardless
of values. In other words, binary 1s mean that these bit positions already match--hence the
name wildcard.
Table 7-4 shows several examples of masks, packet source addresses, and addresses in access-
list
commands.
ch07.fm Page 462 Monday, March 20, 2000 5:14 PM