09-18-2024 02:52 AM - edited 09-18-2024 03:02 AM
Hi,
I am working on a real router (this is not LAB). when I apply the following configuration on the router, the configuration does not as i configured on router. that mean in the running configuration it will automaticly changed to ""10 permit ip host 10.1.1.1 10.0.0.0 0.255.255.255"" and also I can not see items 20 and 30.
ip access-list extended test1
10 permit ip host 10.1.1.1 10.200.1.0 0.255.255.255
20 permit ip host 10.1.1.1 10.200.2.0 0.255.255.255
30 permit ip host 10.1.1.1 10.200.3.0 0.255.255.255
can you please help me why the above configuration could not be applied exactly on the router?
Solved! Go to Solution.
09-18-2024 03:12 AM - edited 09-18-2024 03:52 AM
It's because each of your ACEs are all the equivalent of what the router shows and as you've effectively written the same ACE 3x, router drops the duplicates.
If it's unclear why your 3 statements are equivalents, it's because of your mask which makes the last 3 octets wildcards, i.e. your destination is, for all 3, 10.0.0.0/8.
If you want to match against the /24s, your mask should be 0.0.0.255.
You could also match those 3 /24s using just two ACEs.
09-18-2024 03:12 AM - edited 09-18-2024 03:52 AM
It's because each of your ACEs are all the equivalent of what the router shows and as you've effectively written the same ACE 3x, router drops the duplicates.
If it's unclear why your 3 statements are equivalents, it's because of your mask which makes the last 3 octets wildcards, i.e. your destination is, for all 3, 10.0.0.0/8.
If you want to match against the /24s, your mask should be 0.0.0.255.
You could also match those 3 /24s using just two ACEs.
09-18-2024 11:34 AM
@Joseph W. Doherty wrote:
You could also match those 3 /24s using just two ACEs.
If you're curious, there are two ways to match those 3 /24s using just two ACEs (very worth understanding):
ip access-list extended test1
permit ip host 10.1.1.1 10.200.1.0 0.0.0.255 !matches 10.200.1.0/24
permit ip host 10.1.1.1 10.200.2.0 0.0.1.255 !matches 10.200.2.0/23 (10.200.2.0/24 and 10.200.3.0/24)
or
ip access-list extended test1
deny ip host 10.1.1.1 10.200.0.0 0.0.0.255 !matches 10.200.0.0/24
permit ip host 10.1.1.1 10.200.0.0 0.0.3.255 !matches 10.200.0.0/22 (10.200.0.0/24, 10.200.1.0/24, 10.200.2.0/24 and 10.200.3.0/24)
09-19-2024 12:23 AM
Thank you so much Joseph
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide