CCNA And CCENT Lab: Using “Host” And “Any” In Access Lists

Questions or comments?   Tweet me!

In our standard ACL lab, we had the option of using host or any in place of a wildcard mask.  Same for the extended ACL lab.    We stuck with wildcard masks in those labs, so it’s time for us to take a look at both of these options in action.

A wildcard mask of all zeroes means the address specified in the ACL line must be matched exactly in order for the specified action to be taken.  While there’s nothing wrong with writing the mask out, you have the option of using host to represent a mask of in either a standard or extended ACL.   Let’s use IOS Help to see the proper use of host in a standard ACL.

R5(config)#access-list 7 permit ?

  Hostname or A.B.C.D  Address to match

  any                  Any source host

  host                 A single host address


R5(config)#access-list 7 permit host ?

  Hostname or A.B.C.D  Host address


R5(config)#access-list 7 permit host

You can only use host once in a standard ACL for one very good reason — a standard ACL can only match on the source IP address of a packet.  You can use host twice in an extended ACL, once for each of the two required values in an extended ACL (source IP and destination IP).   Here’s an extended ACL line that uses host twice, allowing it to match a packet only if the source is and the destination is

R5(config)#access-list 177 permit ip host ?

  A.B.C.D       Destination address

  any           Any destination host

  host          A single destination host

  object-group  Destination network object group

R5(config)#access-list 177 permit ip host host

At the other end of the spectrum, we have the wildcard mask, which matches literally any address. Lines using this mask are often written to negate the implicit deny or to create a log of addresses that match a particular line.  Here’s an example of each:

R5(config)#access-list 8 permit

That line permits anything.  The next line denies everything and logs denials.   This is a good line to use at the end of an ACL if you want to log all denies.

R5(config)#access-list 9 deny log

You can use any in place of that address and mask.  The following two ACL lines do the exact same thing as the lines from ACLs 8 and 9 seen above.

R5(config)#access-list 14 permit any 

R5(config)#access-list 15 deny any log

Just as with host, you can use any twice in an extended ACL.  That’s once for the source IP and the other for the destination IP.  (Yes, I mention that often.  Thank me after you pass the exam!)   The following ACL line might look incorrect at first, but the two anys are there for a reason.   This line would permit traffic regardless of source or destination.  It’s an excellent line to end an ACL with if you want to negate the implicit deny.

R5(config)#access-list 177 permit ip any any

There’s nothing wrong with using or not using host and any in real-world networking, but as we know, it’s a good idea to know more than one way to do things when prepping for the CCENT and CCNA exams.  Know these two options inside and out.

Another great option is covered in the next tutorial:

CCNA And CCENT Lab:  Telnet and Access Lists

And here are a few other links of interest:

Chris Bryant’s CCNA And CCENT YouTube Channel

CCNA Access List Tutorial: The Fundamentals

CCNA Access List Tutorial:  Standard ACLs

CCNA Access List Tutorial:  Extended ACLs