Wildcard Mask – Providing Wildcard Mask in Extended ACL

aclcisco

Is it necessary to provide a wildcard mask in extended ACL?

For example, if I want to block 192.168.5.2 from gaining access to 192.168.7.2, can I write the command as follows?

access-list 107 deny 192.168.5.2 192.168.7.2
acess-list 107 permit any any
int fa 0/0
ip access-group in

Best Answer

You are wrong.

The correct syntax is:

access-list 107 deny ip 192.168.5.2 0.0.0.0 host 192.168.7.2
access-list 107 permit ip any any

int fa 0/0
ip access-group 107 in

0.0.0.0 is the ACL wildcard of 255.255.255.255 which is a single host (/32). 0.0.0.255 is the ACL wildcard of 255.255.255.0 which is a whole /24 subnet.

Related Solutions

Are IPv6 Wildcard Matches in Cisco IOS Possible

Unfortunately, Cisco did away with wildcard masks in IPv6. That is mostly a good thing, EXCEPT in this particular case. For your idea to work however, you have to rely on Facebook being both "clever" and consistent, which is probably more than one can hope for.

But if you want to process Facebook's traffic differently than other traffic, you can simply filter on their assigned address block. The one you mention in your question is actually assigned to Facebook Ireland: 2a03:2880::/32.

But it is just as easy to look up others in the registries.

ACL Troubleshooting – Why ‘Deny All’ Statement is Not Working

Normally you would be right, there is an implied "deny" at the end of every access list. You have found the exception however, because you use an empty access list:

interface Serial2/0
 ip address 192.168.1.2 255.255.255.0
 ip access-group ACL_FOR_R2 in
 serial restart-delay 0
!
<snip>
!
ip access-list extended ACL_FOR_R2
!

According to the documentation:

"An interface or command with an empty access list applied to it permits all traffic into the network."

So as soon as you add any term to the ACL, it will start blocking all other traffic.

Best Answer

Related Solutions

Are IPv6 Wildcard Matches in Cisco IOS Possible

ACL Troubleshooting – Why ‘Deny All’ Statement is Not Working

Related Topic