Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
2
Replies

ACL Q

mogoodheart
Level 1
Level 1

‎06-12-2013 11:20 AM - edited ‎03-07-2019 01:51 PM

Hello experts,

If I have a host on the network config with /24, can I config ACLs for this host with /27 or /28?

Exp:

ip acc-list ext 200

perm icmp host 192.168.1.101 255.255.255.248 any

perm tcp 192.168.1.101  255.255.255.248 host 172.16.100.1 = 443

perm udp 192.168.1.101 255.255.255.248 host 172.10.200.1 = 53

!

will these ACLs work? host 192.168.1.101 have a mask of /24

Thx

morgan

Labels:
0 Helpful
2 Replies 2

Bilal Nawaz
VIP Alumni
VIP Alumni

‎06-12-2013 10:48 PM

Hello, I think you will find that when you try to input the host key word in an access list, cli will not have an option there to input the Wildcard mask.

When you specify a host, it means one single IP address which is always /32 bit format, even though the host resides on /27 or whatever it may be.

Remember you have to use wildcard masks with ACLs too rather than normal subnet format.

Here's an example. I want to deny host 10.0.0.10 but permit everything else in the 10.0.0.0/24 network from going to the 20.0.0.0/24 network

Ip access-list extended example
10 deny ip host 10.0.0.10 20.0.0.0 0.0.0.255
20 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255

If I wanted to permit that host to any and deny the rest, I would do this

Ip access-list extended example
10 permit ip host 10.0.0.10 any
20 deny ip 10.0.0.0 0.0.0.255 any

See here: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

blau grana
Level 7
Level 7
In response to Bilal Nawaz

‎06-13-2013 07:28 AM

Hello morgan,

As Bilal said, you can not configure host IP and after that wildcard mask. When you use host statement, it automatically means wild card mask 0.0.0.0.

Back to your question ->

you configure ACL based on what IP addresses you want to match, if you want match just two host f.e. 10.0.0.50 and 10.0.0.90, you can do it with this ACL

ip access-list standard TEST

permit host 10.0.0.50

permit host 10.0.0.90

ip access-list standard TEST-1

permit 10.0.0.50 0.0.0.0

permit 10.0.0.90 0.0.0.0

ACLs TEST and TEST-1 permit same traffic, it is just another form of configuring same thing.

interface Fa0/0

ip add 10.0.0.1 255.255.255.0

ip access-group TEST in

As you can see, subnet mask is /24, ACL is using /32 but it does not matter because they are not related.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card