06-12-2013 11:20 AM - edited 03-07-2019 01:51 PM
Hello experts,
If I have a host on the network config with /24, can I config ACLs for this host with /27 or /28?
Exp:
ip acc-list ext 200
perm icmp host 192.168.1.101 255.255.255.248 any
perm tcp 192.168.1.101 255.255.255.248 host 172.16.100.1 = 443
perm udp 192.168.1.101 255.255.255.248 host 172.10.200.1 = 53
!
will these ACLs work? host 192.168.1.101 have a mask of /24
Thx
morgan
06-12-2013 10:48 PM
Hello, I think you will find that when you try to input the host key word in an access list, cli will not have an option there to input the Wildcard mask.
When you specify a host, it means one single IP address which is always /32 bit format, even though the host resides on /27 or whatever it may be.
Remember you have to use wildcard masks with ACLs too rather than normal subnet format.
Here's an example. I want to deny host 10.0.0.10 but permit everything else in the 10.0.0.0/24 network from going to the 20.0.0.0/24 network
Ip access-list extended example
10 deny ip host 10.0.0.10 20.0.0.0 0.0.0.255
20 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
If I wanted to permit that host to any and deny the rest, I would do this
Ip access-list extended example
10 permit ip host 10.0.0.10 any
20 deny ip 10.0.0.0 0.0.0.255 any
See here: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Hope this helps
Sent from Cisco Technical Support iPhone App
06-13-2013 07:28 AM
Hello morgan,
As Bilal said, you can not configure host IP and after that wildcard mask. When you use host statement, it automatically means wild card mask 0.0.0.0.
Back to your question ->
you configure ACL based on what IP addresses you want to match, if you want match just two host f.e. 10.0.0.50 and 10.0.0.90, you can do it with this ACL
ip access-list standard TEST
permit host 10.0.0.50
permit host 10.0.0.90
ip access-list standard TEST-1
permit 10.0.0.50 0.0.0.0
permit 10.0.0.90 0.0.0.0
ACLs TEST and TEST-1 permit same traffic, it is just another form of configuring same thing.
interface Fa0/0
ip add 10.0.0.1 255.255.255.0
ip access-group TEST in
As you can see, subnet mask is /24, ACL is using /32 but it does not matter because they are not related.
Best Regards
Please rate all helpful posts and close solved questions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide