Cisco Support Community
Community Member

Valid ACL ???


I have seen the following ACL entries in a running config of a router, are they valid ACLs? And what do they mean? Thanks.

permit tcp host eq telnet


permit ip (27423670 matches)

Hall of Fame Super Gold

Re: Valid ACL ???


All 3 statements are unusual and not standard ways of writing access list entries. But as far as I can tell they are valid - if they are configured on a router I think it would not generate a syntax error. But the non-standard masks used make it very difficult to determine what will match.

Bear in mind that in the access list mask a binary 0 means that the bits must match and a binary 1 means that the bits do not need to match. So in the first statement:

permit tcp host

the mask of for the source address has 31 binary 0 and a single binary 1. So effectively there are 2 addresses that will match this: and

The second statement seems to be for a standard access list rather than an extended access list since there is a single address and a single mask. Again the mask used is quite unusual and what it will match is irregular. The statement is:


and with this mask the first octet must be 10, the last 2 octets can be anything and since the second octet of the mask has a single binary 1 it will match 2 addresses - 16 and 20.

The last statement is even more unusual. It is:

permit ip

The mask of indicates that the first octet must be 10, the second octet can be 16, or 17, or 18, or 19. The third octet can be anything. The fourth octet can be anytung except 0 and 128.



Re: Valid ACL ???

Yes, they are all valid

permit tcp host eq telnet:

permit telnet session with the ip source address = or and ip destinaion address =


permit ip packet with source address = 10.16.x.x or 10.20.x.x, where x=0~255

permit ip

permit ip packet with source address 10.x.y.z, where x=16~19 , y=0~255, z=0~127,

and destination address = 10.16.a.b, where a=8~15, b=0~255

hope this help


Community Member

Re: Valid ACL ???


CreatePlease to create content