Solved: Re: ACE Entry format for a loopback Address

Drew15 · ‎02-28-2023

Hello,

I'm trying to make an ACE in an extended ACL for my loop back address and also for my management VLAN

I'm creating and access for an access list that when applied will be 'in"

I'm not sure of the formatting. This is what I wrote (see below). Is this proper formatting or should it be modified?

Loopback IP is: 20.200.255.251

permit any host 20.200.255.251 << (loop back address)>> 20.200.255.251

Management VLAN IP: 20.200.254.0 255.255.255.0

permit any host 20.200.254.0 0.0.255 cant figure out this next part.

Thank you.

Richard Burts · ‎03-01-2023

The syntax of this is correct, but whether "any" should be first or second depends on how the acl is applied.

permit any host 20.200.255.251

The syntax of this is not correct. You can not specify both "host" and 0.0.0.255. And in this case since you are referencing a subnet you should not use host.

permit any host 20.200.254.0 0.0.255

HTH

Rick

View solution in original post

MHM Cisco World · ‎02-28-2023

ACL IN direction is not effect traffic direct to interface
it effect traffic that pass through this interface

Drew15 · ‎02-28-2023

Thank you. I think I understand. There is no need to address a loop back address or VLAN IP space since they will not be going out the port I will be applying the Access List to. Is my understanding correct?

MHM Cisco World · ‎03-01-2023

If you meaning that the ACL to deny VLAN IP is not Need if the ACL config under same VLAN then Yes, it have no effect at all.
instead check from where this packet enter the SW and apply ACL in that interface not under VLAN interface.

Richard Burts · ‎03-08-2023

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Joseph W. Doherty · ‎03-01-2023

Unclear exactly what you're trying to accomplish.

Possibly part of your confusion might be due to using "host" which is a descriptive way to provide a mask of 0.0.0.0. Also "any" is a descriptive way for a mask of 255.255.255.255 and where IP came be any number usually shown as IP 0.0.0.0.

I.e. host 1.1.1.1 same as 1.1.1.1 0.0.0.0

and

Any same as #.#.#.# 255.255.255.255

Lastly, if you can clarify want you want to accomplish between your loopback interface and your VLAN network, might be able to help further.

Richard Burts · ‎03-01-2023

The syntax of this is correct, but whether "any" should be first or second depends on how the acl is applied.

permit any host 20.200.255.251

The syntax of this is not correct. You can not specify both "host" and 0.0.0.255. And in this case since you are referencing a subnet you should not use host.

permit any host 20.200.254.0 0.0.255

HTH

Rick

Joseph W. Doherty · ‎03-01-2023

Just to clarify what Rick describes,

permit any host 20.200.254.0 0.0.255

Is still incorrect (syntax). It might be like:

Or

permit ip host 20.200.255.251 20.200.254.0 0.0.255

Or

permit ip any 20.200.254.0 0.0.255

NB, above shows correct syntax, correct ACE depends on what you're trying to do and also what interface it's applied on and whether in or out.

PS, edit: NB: I believe I "misread/misunderstood" Rick's post (my bad). I believe he intended reader to understand he's saying "permit any host 20.200.255.251" is correct syntax usage (and it is, except for other than missing kind of [protocol, e.g. "IP", "TCP", etc. after permit]) packets and that "permit ip any host 20.200.255.251" is incorrect syntax usage (ditto missing kind of protocol parameter). (My apologies to both @Richard Burts and anyone else I may have confused! (Rick certainly knows the correct syntax for what he is describing.)