Hi access-list that is

yangfrank · ‎03-08-2015

Dear All

I noticed some one used the command access-list 100 permit ip host 20.1.1.0 host 255.255.255.0. So what is difference of it with normal one such as

access-list 100 permit ip 20.1.1.0 0.0.0.255 ? Thank you

Roberto Kippins · ‎03-08-2015

Hi access-list that is numbered from 100 - 199 are extended access-lists, meaning that you need to specify a source and destination along with the protocol type, in this case ip which means permit everything. If you use the access-list 100 permit ip host command you need to specify a single host ip and not an entire subnet, this means if you enter:

access-list 100 permit ip host 20.1.1.0 host 255.255.255.0

the router will take the command but it will not match anything, the correct syntax should be:

access-list 100 permit ip host 192.168.1.1 20.1.1.0 0.0.0.255

192.168.1.1 is just an example of a host ip, also note that you can have two host statement in the same access-list that match traffic between two hosts instead of a subnetlike this:

access-list 100 permit ip host 192.168.1.1 host 20.1.1.1

the host key word specifies a single ip address and thus eliminates the need for a wildcard mask, hope this helps.

yangfrank · ‎03-08-2015

Hi Thanks for your reply. Sorry I missed some words. I repeated my question and highlight some word missing in the above question as following:

"I noticed some one used the command access-list 100 permit ip host 20.1.1.0 host 255.255.255.0. So what is difference of it with normal one such as

access-list 100 permit ip 20.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255 ? Thank you "

Usually, we use two ways to express this kind of case: one is for host, another is for subnet as you mentioned above.

But the syntax I mentioned above is a special one, which has the specific subnet matched. So it does not mean what you mentioned.

Roberto Kippins · ‎03-08-2015

Hi, the router will take the command:

access-list 100 permit ip host 20.1.1.0 host 255.255.255.0

but if applied will not match anything.

yangfrank · ‎03-08-2015

It was tested by someone. It is useful and meaningful. I have not known it very well yet. That is why i posted here.

Jon Marshall · ‎03-08-2015

It depends on what you are using the acl for.

The example you posted in your original post is used for route filtering where the prefix and subnet mask part of the acl take on a different meaning than if you were using it in an acl to control access between subnets.

What happens is the source part of the acl is used to match the route prefix and the destination part of the acl is used to match the subnet mask of the prefix.

So your example -

access-list 100 permit ip host 20.1.1.0 host 255.255.255.0.

the source IP host (20.1.1.0) is compared to the prefix of the route and the destination (255.255.255.0) is compared to the subnet mask of the route.

It's just another use for acls and they have different meanings depending on what they are used for.

Personally I have never used them like that. I tend to use prefix lists when doing route filtering.

Jon

yangfrank · ‎03-09-2015

So functionally, does it has difference with accecc-list 1 permit 20.1.1.0 0.0.255 ?

What is difference access-list 100 permit ip host 20.1.1.0 host 255.255.255.0 and normal one ?