Extended ACL Syntax

Hey folks,
The following is the correct answer I selected to a question on a test exam. The only reason I got it right was due to process of elimination of the other answers. My question is this.. Is the use of the "any" statment at the end of the acl legitimate? I've looked at cisco's site for a while and have only found one refrence to an FTP acl that had something simlilar to it.

Test Question..
You are the network administrator for your company. As a part of improving network security, you are planning to configure access control lists (ACLs) on the network. You want to ensure that traffic is permitted that matches packets which are going to a Web client from all Web servers whose IP addresses begin with 172.17.4.

access-list 105 permit tcp 172.17.4.0 0.0.0.255 eq www any

I was under the impression that with an extended acl, the "any" statment (in this example) would have been placed after the wildcard mask and before the "eq www".

Thoughts?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

burbankmarc

the keyword any is a short cut for 0.0.0.0 255.255.255.255, and the keyword host is a short cut for x.x.x.x 0.0.0.0.

joe48184

Thanks for responding..
I understand the use of "any" and "host". My question is to do with the use of the "any" statment at the "end" of an acl. Of all the material I've read to date, that was the first time i've ever seen it used at the end of an acl.

kalebksp

joe48184 wrote: »

access-list 105 permit tcp 172.17.4.0 0.0.0.255 eq www any

That access list permits traffic from the 172.17.4.0/24 subnet with a source TCP port of 80 to any destination. access-list 105 permit tcp 172.17.4.0 0.0.0.255 any eq www would permit traffic from the 172.17.4.0/24 subnet with a destination TCP port of 80.

So yes, it is valid, the meaning changes depending on where the eq www is.