Extended ACL Syntax

joe48184joe48184 Member Posts: 83 ■■□□□□□□□□
Hey folks,
The following is the correct answer I selected to a question on a test exam. The only reason I got it right was due to process of elimination of the other answers. My question is this.. Is the use of the "any" statment at the end of the acl legitimate? I've looked at cisco's site for a while and have only found one refrence to an FTP acl that had something simlilar to it.

Test Question..
You are the network administrator for your company. As a part of improving network security, you are planning to configure access control lists (ACLs) on the network. You want to ensure that traffic is permitted that matches packets which are going to a Web client from all Web servers whose IP addresses begin with 172.17.4.


access-list 105 permit tcp 172.17.4.0 0.0.0.255 eq www any


I was under the impression that with an extended acl, the "any" statment (in this example) would have been placed after the wildcard mask and before the "eq www".

Thoughts?

Comments

  • burbankmarcburbankmarc Member Posts: 460
    the keyword any is a short cut for 0.0.0.0 255.255.255.255, and the keyword host is a short cut for x.x.x.x 0.0.0.0.
  • joe48184joe48184 Member Posts: 83 ■■□□□□□□□□
    Thanks for responding..
    I understand the use of "any" and "host". My question is to do with the use of the "any" statment at the "end" of an acl. Of all the material I've read to date, that was the first time i've ever seen it used at the end of an acl.
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    joe48184 wrote: »
    access-list 105 permit tcp 172.17.4.0 0.0.0.255 eq www any

    That access list permits traffic from the 172.17.4.0/24 subnet with a source TCP port of 80 to any destination. access-list 105 permit tcp 172.17.4.0 0.0.0.255 any eq www would permit traffic from the 172.17.4.0/24 subnet with a destination TCP port of 80.

    So yes, it is valid, the meaning changes depending on where the eq www is.
Sign In or Register to comment.