ACL with 'host' keyword used for filtring RIP update

Hi all,

i'm a little bit confused about two syntaxes of an extended ACL. From my knowledge, the key-world 'HOST' define a /32 @.

in WB.v5 RS (RIPv2 Filtering with Extended Access-Lists), they used a syntax with the 'host' keyword for a subnet @ (/24)

access-list 100 deny ip host host

here: is a loopback @ and is a /24 subnet.

From IOS:   R9(config)#access-list 100 deny ip host ?

    A.B.C.D       Source address

    any             Any source host

    host               A single destination host

    object-group  Source network object group

You can see that after the 'host' key-word, the IOS is expecting 'a single destination'

So i used this config.: access-list 100 deny ip host 0.0.255 and it worked.

- If it was the real exam, the two solutions are valid ? 

- My be the difference don't matter because about an update, not for security purpose (?)

Many thanks in advance,





  • You have to understand that ACL's are used for various scopes, so when you think about the keyword 'host' don't think about an end host, or  a /32. The 'host' keyword is a macro for the wildcard mask value of

    As long as you understand the functionality of wildcard masks, there will be no confusion; in the wildcard mask, a bit of zero means a perfect match on the coresponding bit from the IP portion, while a bit of one means you don't care about the value (zero or one) of the coresponding bit from the IP. 

    So for example, it will match only on, while will match on 10.10.[10-11].0

  • Hi Cristian,

    Thank you for your response,

    So, using key-word "host" is not immovable only for /32 prefixes, we can use it to designate a subnet too.

    Thank you for the info.


    Fay ONIS

Sign In or Register to comment.