Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
2
Replies

ACL conundrum

Go to solution
steven.crutchley
Level 3
Level 3

‎02-19-2013 06:11 AM - edited ‎03-10-2019 12:21 PM

Is anyone able to tell me what the functional difference between the following three commands is:

ip access-list 1 permit 192.168.1.1

ip access-list 1 permit host 192.168.1.1

ip access-list 1 permit 192.168.1.1 0.0.0.0

From what I can tell the answer is none.

For example from GNS3 it appears the running config takes them all the same:

R1(config)#access-list 1 permit host 192.168.1.1

R1(config)#access-list 2 permit 192.168.1.1

R1(config)#access-list 3 permit 192.168.1.1 0.0.0.0

R1(config)#^Z

*Mar  1 00:39:42.199: %SYS-5-CONFIG_I: Configured from console by console

R1#sh access-lists

Standard IP access list 1

    10 permit 192.168.1.1

Standard IP access list 2

    10 permit 192.168.1.1

Standard IP access list 3

    10 permit 192.168.1.1

R1#

So I have to ask:

> Is this correct? Are all three commands equivalent?

> If that is so, why bother with the host keyword?

> I thought that if you left the wildcard mask and host keyword out the standard ACL would assume a classful wildcard mask....

--
Network Engineer
CCIE SP #69245
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-19-2013 06:49 AM

Hello Steven,

your understanding is correct the host keyword is equivalent to wildcard mask 0.0.0.0.

A missing wildcard mask is treated as 0.0.0.0. This is told in IOS command reference

>>To specify a large number of individual addresses more easily, you can  omit the wildcard if it is all zeros. Thus, the following two  configuration >>commands are identical in effect:

>>access-list 2 permit 10.48.0.3
>>access-list 2 permit 10.48.0.3 0.0.0.0

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-DABF67E7-0E0F-4AD2-B5E7-F19B03CE8250

So the end result is the three forms of writing the ACL statement are equivalent as your tests show,

Hope to help

Giuseppe

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-19-2013 06:49 AM

Hello Steven,

your understanding is correct the host keyword is equivalent to wildcard mask 0.0.0.0.

A missing wildcard mask is treated as 0.0.0.0. This is told in IOS command reference

>>To specify a large number of individual addresses more easily, you can  omit the wildcard if it is all zeros. Thus, the following two  configuration >>commands are identical in effect:

>>access-list 2 permit 10.48.0.3
>>access-list 2 permit 10.48.0.3 0.0.0.0

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-DABF67E7-0E0F-4AD2-B5E7-F19B03CE8250

So the end result is the three forms of writing the ACL statement are equivalent as your tests show,

Hope to help

Giuseppe

0 Helpful

Go to solution
steven.crutchley
Level 3
Level 3
In response to Giuseppe Larosa

‎02-19-2013 07:58 AM

That's what I thought. Thanks

--
Network Engineer
CCIE SP #69245
0 Helpful
Customers Also Viewed These Support Documents