12-17-2012 01:18 PM
Hello Community,
Can someone please tell why this access list wont work.
I can still ping 150.2.2.2 from R1, with ip address 172.28.38.1 even though its in /24, however I can't ping from R4 with ip address 172.28.38.1 even its in /16 subnet.
Extended IP access list 102
10 permit ip host 192.168.1.2 any
20 permit ip host 172.28.38.1 any
30 deny ip 172.28.38.0 0.0.0.255 any
40 permit ip 172.28.0.0 0.0.255.255 any
Attached are the configs and topology.
12-18-2012 04:06 AM
Hi Carlton,
The problem is because you have the same IP address assigned to two different routers. Regardless of the subnet mask applied, the IP address is the same.
So when you ping from R1 to 150.2.2.2, the ping is successful as your ACL allows the traffic. The ping will match line 20 in the ACL.
When you ping from R4, the packet must traverse R1 to reach the network 150.2.2.0/24. The issue here is that R4 sends a packet with an IP source of 172.28.38.1, and when it reaches R1, R1 sees that it also has an IP of 172.28.38.1 assigned to its loopback 1 interface. R1 knows it can not have sent that packet and promptly drops it.
Try changing the loopback 1 IP of R4 to 172.28.38.2.
As a side note, you would generally apply ACLs to traffic flowing IN to an interface.
HTH
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide