Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
1
Replies

Access-List Question

Carlton Patterson
Level 1
Level 1

‎12-17-2012 01:18 PM

Hello Community,

Can someone please tell why this access list wont work.

I can still ping 150.2.2.2 from R1, with ip address 172.28.38.1 even though its in /24, however I can't ping from R4 with ip address 172.28.38.1 even its in /16 subnet.

Extended IP access list 102

    10 permit ip host 192.168.1.2 any

    20 permit ip host 172.28.38.1 any

    30 deny ip 172.28.38.0 0.0.0.255 any

    40 permit ip 172.28.0.0 0.0.255.255 any

Attached are the configs and topology.

Labels:
140061-21-04-46--R2(127.0.0.1).txt.zip
140063-21-05-00--R4(127.0.0.1).txt.zip
140062-21-04-53--R3(127.0.0.1).txt.zip
75 KB
140042-21-04-39--R1(127.0.0.1).txt.zip
0 Helpful
1 Reply 1

paulstone80
Level 3
Level 3

‎12-18-2012 04:06 AM

Hi Carlton,

The problem is because you have the same IP address assigned to two different routers. Regardless of the subnet mask applied, the IP address is the same.

So when you ping from R1 to 150.2.2.2, the ping is successful as your ACL allows the traffic. The ping will match line 20 in the ACL.

When you ping from R4, the packet must traverse R1 to reach the network 150.2.2.0/24. The issue here is that R4 sends a packet with an IP source of 172.28.38.1, and when it reaches R1, R1 sees that it also has an IP of 172.28.38.1 assigned to its loopback 1 interface. R1 knows it can not have sent that packet and promptly drops it.

Try changing the loopback 1 IP of R4 to 172.28.38.2.

As a side note, you would generally apply ACLs to traffic flowing IN to an interface.

HTH

Paul

HTH Paul ****Please rate useful posts****
0 Helpful
Customers Also Viewed These Support Documents