Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
926
Views
0
Helpful
3
Replies

ACL statements with host names

NormMuelleman
Level 1
Level 1

‎08-27-2011 02:20 PM - edited ‎03-07-2019 01:56 AM

How many hostnames are allowed per line on an ACL? For example, let's say I have four admins that would only access devices on the VTY lines.

The IP's of the admin's devices has been scattered in DHCP. That has been resolved now thru reservations. So now these four devices will always have the same IP. Since these will be the only devices to manage via VTY, I want to include these 4 devices, and exclude anything else.

So, should I do:

permit host 192.168.0.1 192.168.0.4 192.168.0.5 192.168.0.30 eq 22 log

deny ip any any log

This allows only the 4 devices to SSH into the VTY (once applied to there), and denies anyting else trying to get into the VTY. But is there a maximum number of hosts per line? Or should I list each host on it's own separate line?

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎08-27-2011 02:26 PM

Norm,

You cannot write an arbitrary number of hosts into an ACL entry (ACE in short). ACEs have fixed syntax, depending on the ACL type. With standard ACLs, each ACE contains only a single address specification - the source of the packet. With extended ACLs, each ACE contains two address specifications - the source and the destination of a packet.

If you want to use an ACL on a VTY, the best is to use a standard ACL, and because of the syntax requirements, each machine has to be on a separate line, i.e.:

ip access-list standard Management

permit 192.168.0.2 log

permit 192.168.0.4 log

permit 192.168.0.5 log

permit 192.168.0.30 log

deny any log

line vty 0 15

access-class Management in

Do not use extended ACLs with VTYs - they are evaluated differently on VTYs than on interfaces, and may not produce desired results.

Best regards,

Peter

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎08-27-2011 03:10 PM

As Peter noted, when using the host keyword, you can only write one host at the time.  If you had continues range of IP addresses you could write one line with a mask.

permit 192.168.0.0 0.0.0.3 eq ssh log

this would allow 4 hosts (192.168.0.1,2,3,4)

HTH

0 Helpful

NormMuelleman
Level 1
Level 1
In response to Reza Sharifi

‎08-27-2011 03:22 PM

Thanks Peter and Reza;

I thought as much that each host would need it's own line. Yes, I knew you could do a "range" as Reza mentioned, but then that would have made it too easy, and my "inherited" network was not made easy

Thanks much! I'm posting another question concerning logging

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card