diff --git a/plugins/policy/config_processor.go b/plugins/policy/config_processor.go
index 6ea4023778..d4adc5c876 100644
--- a/plugins/policy/config_processor.go
+++ b/plugins/policy/config_processor.go
@@ -357,6 +357,13 @@ func (pp *ConfigProcessor) Close() error {
 	return nil
 }
 
+func getHostIPNet(ip string) string {
+	if ip == "" {
+		return ip
+	}
+	return ip + "/32"
+}
+
 func getIngressRule(proto policy.Policy_Port_Protocol, dstPort int32, srcIPAddr string, ruleName string) *acl.AccessLists_Acl_Rule {
 
 	lowerDstPort := uint32(dstPort)
@@ -368,7 +375,7 @@ func getIngressRule(proto policy.Policy_Port_Protocol, dstPort int32, srcIPAddr
 		matches = &acl.AccessLists_Acl_Rule_Matches{
 			IpRule: &acl.AccessLists_Acl_Rule_Matches_IpRule{
 				Ip: &acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{
-					SourceNetwork: srcIPAddr + "/32",
+					SourceNetwork: getHostIPNet(srcIPAddr),
 				},
 				Tcp: &acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{
 					DestinationPortRange: &acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{
@@ -382,7 +389,7 @@ func getIngressRule(proto policy.Policy_Port_Protocol, dstPort int32, srcIPAddr
 		matches = &acl.AccessLists_Acl_Rule_Matches{
 			IpRule: &acl.AccessLists_Acl_Rule_Matches_IpRule{
 				Ip: &acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{
-					SourceNetwork: srcIPAddr + "/32",
+					SourceNetwork: getHostIPNet(srcIPAddr),
 				},
 				Udp: &acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{
 					DestinationPortRange: &acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{
@@ -449,14 +456,14 @@ func getFromRule(srcIPAddr string, ruleName string) *acl.AccessLists_Acl_Rule {
 	matches = &acl.AccessLists_Acl_Rule_Matches{
 		IpRule: &acl.AccessLists_Acl_Rule_Matches_IpRule{
 			Ip: &acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{
-				SourceNetwork: srcIPAddr + "/32",
+				SourceNetwork: getHostIPNet(srcIPAddr),
 			},
 		},
 	}
 	matches = &acl.AccessLists_Acl_Rule_Matches{
 		IpRule: &acl.AccessLists_Acl_Rule_Matches_IpRule{
 			Ip: &acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{
-				SourceNetwork: srcIPAddr + "/32",
+				SourceNetwork: getHostIPNet(srcIPAddr),
 			},
 		},
 	}
diff --git a/vendor/github.com/ligato/vpp-agent/plugins/defaultplugins/aclplugin/vppcalls/acl_vppcalls.go b/vendor/github.com/ligato/vpp-agent/plugins/defaultplugins/aclplugin/vppcalls/acl_vppcalls.go
index 348a45b649..7e2e533108 100644
--- a/vendor/github.com/ligato/vpp-agent/plugins/defaultplugins/aclplugin/vppcalls/acl_vppcalls.go
+++ b/vendor/github.com/ligato/vpp-agent/plugins/defaultplugins/aclplugin/vppcalls/acl_vppcalls.go
@@ -379,10 +379,14 @@ func icmpACL(icmpRule *acl.AccessLists_Acl_Rule_Matches_IpRule_Icmp, aclRule *ac
 // Sets an TCP ACL rule fields into provided ACL Rule object.
 func tcpACL(tcpRule *acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp, aclRule *acl_api.ACLRule) *acl_api.ACLRule {
 	aclRule.Proto = 6 // IANA TCP
-	aclRule.SrcportOrIcmptypeFirst = uint16(tcpRule.SourcePortRange.LowerPort)
-	aclRule.SrcportOrIcmptypeLast = uint16(tcpRule.SourcePortRange.UpperPort)
-	aclRule.DstportOrIcmpcodeFirst = uint16(tcpRule.DestinationPortRange.LowerPort)
-	aclRule.DstportOrIcmpcodeLast = uint16(tcpRule.DestinationPortRange.UpperPort)
+	if tcpRule.SourcePortRange != nil {
+		aclRule.SrcportOrIcmptypeFirst = uint16(tcpRule.SourcePortRange.LowerPort)
+		aclRule.SrcportOrIcmptypeLast = uint16(tcpRule.SourcePortRange.UpperPort)
+	}
+	if tcpRule.DestinationPortRange != nil {
+		aclRule.DstportOrIcmpcodeFirst = uint16(tcpRule.DestinationPortRange.LowerPort)
+		aclRule.DstportOrIcmpcodeLast = uint16(tcpRule.DestinationPortRange.UpperPort)
+	}
 	aclRule.TCPFlagsValue = uint8(tcpRule.TcpFlagsValue)
 	aclRule.TCPFlagsMask = uint8(tcpRule.TcpFlagsMask)
 	return aclRule