CCNA And CCENT Lab: Using “Host” And “Any” In Access Lists
Questions or comments? Tweet me!
In our standard ACL lab, we had the option of using host or any in place of a wildcard mask. Same for the extended ACL lab. We stuck with wildcard masks in those labs, so it’s time for us to take a look at both of these options in action.
A wildcard mask of all zeroes means the address specified in the ACL line must be matched exactly in order for the specified action to be taken. While there’s nothing wrong with writing the mask out, you have the option of using host to represent a mask of 0.0.0.0 in either a standard or extended ACL. Let’s use IOS Help to see the proper use of host in a standard ACL.
R5(config)#access-list 7 permit ? Hostname or A.B.C.D Address to match any Any source host host A single host address R5(config)#access-list 7 permit host ? Hostname or A.B.C.D Host address R5(config)#access-list 7 permit host 172.12.12.3
You can only use host once in a standard ACL for one very good reason — a standard ACL can only match on the source IP address of a packet. You can use host twice in an extended ACL, once for each of the two required values in an extended ACL (source IP and destination IP). Here’s an extended ACL line that uses host twice, allowing it to match a packet only if the source is 172.12.12.3 and the destination is 172.12.23.4.
R5(config)#access-list 177 permit ip host 172.12.12.3 ? A.B.C.D Destination address any Any destination host host A single destination host object-group Destination network object group R5(config)#access-list 177 permit ip host 172.12.12.3 host 172.12.23.4
At the other end of the spectrum, we have the wildcard mask 255.255.255.255, which matches literally any address. Lines using this mask are often written to negate the implicit deny or to create a log of addresses that match a particular line. Here’s an example of each:
R5(config)#access-list 8 permit 0.0.0.0 255.255.255.255
That line permits anything. The next line denies everything and logs denials. This is a good line to use at the end of an ACL if you want to log all denies.
R5(config)#access-list 9 deny 0.0.0.0 255.255.255.255 log
You can use any in place of that address and mask. The following two ACL lines do the exact same thing as the lines from ACLs 8 and 9 seen above.
R5(config)#access-list 14 permit any R5(config)#access-list 15 deny any log
Just as with host, you can use any twice in an extended ACL. That’s once for the source IP and the other for the destination IP. (Yes, I mention that often. Thank me after you pass the exam!) The following ACL line might look incorrect at first, but the two anys are there for a reason. This line would permit traffic regardless of source or destination. It’s an excellent line to end an ACL with if you want to negate the implicit deny.
R5(config)#access-list 177 permit ip any any
There’s nothing wrong with using or not using host and any in real-world networking, but as we know, it’s a good idea to know more than one way to do things when prepping for the CCENT and CCNA exams. Know these two options inside and out.
Another great option is covered in the next tutorial:
CCNA And CCENT Lab: Telnet and Access Lists
And here are a few other links of interest:
Chris Bryant’s CCNA And CCENT YouTube Channel
CCNA Access List Tutorial: The Fundamentals