cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
228
Views
2
Helpful
3
Replies

strange problem with extended access-list - it does not apply

**Hamid**
Level 1
Level 1

Hi,

I am working on a real router (this is not LAB). when I apply the following configuration on the router, the configuration does not as i configured on router. that mean in the running configuration it will automaticly changed to ""10 permit ip host 10.1.1.1 10.0.0.0 0.255.255.255"" and also I can not see items 20 and 30.

ip access-list extended test1
10 permit ip host 10.1.1.1 10.200.1.0 0.255.255.255
20 permit ip host 10.1.1.1 10.200.2.0 0.255.255.255
30 permit ip host 10.1.1.1 10.200.3.0 0.255.255.255

 

can you please help me why the above configuration could not be applied exactly on the router?

1 Accepted Solution

Accepted Solutions

Joseph W. Doherty
Hall of Fame
Hall of Fame

It's because each of your ACEs are all the equivalent of what the router shows and as you've effectively written the same ACE 3x, router drops the duplicates.

If it's unclear why your 3 statements are equivalents, it's because of your mask which makes the last 3 octets wildcards, i.e. your destination is, for all 3, 10.0.0.0/8.

If you want to match against the /24s, your mask should be 0.0.0.255.

You could also match those 3 /24s using just two ACEs.

View solution in original post

3 Replies 3

Joseph W. Doherty
Hall of Fame
Hall of Fame

It's because each of your ACEs are all the equivalent of what the router shows and as you've effectively written the same ACE 3x, router drops the duplicates.

If it's unclear why your 3 statements are equivalents, it's because of your mask which makes the last 3 octets wildcards, i.e. your destination is, for all 3, 10.0.0.0/8.

If you want to match against the /24s, your mask should be 0.0.0.255.

You could also match those 3 /24s using just two ACEs.


@Joseph W. Doherty wrote:

You could also match those 3 /24s using just two ACEs.


If you're curious, there are two ways to match those 3 /24s using just two ACEs (very worth understanding):

ip access-list extended test1
 permit ip host 10.1.1.1 10.200.1.0 0.0.0.255 !matches 10.200.1.0/24
 permit ip host 10.1.1.1 10.200.2.0 0.0.1.255 !matches 10.200.2.0/23 (10.200.2.0/24 and 10.200.3.0/24)

or

ip access-list extended test1
 deny   ip host 10.1.1.1 10.200.0.0 0.0.0.255 !matches 10.200.0.0/24
 permit ip host 10.1.1.1 10.200.0.0 0.0.3.255 !matches 10.200.0.0/22 (10.200.0.0/24, 10.200.1.0/24, 10.200.2.0/24 and 10.200.3.0/24)

 

Thank you so much Joseph

Review Cisco Networking for a $25 gift card