I am testing following :
RTR1 has secondary ip address and an ACL allowing ICMP only from sources on prinmary and secondary range.
what I have noticed when pinging from 2 host from primary and secondary range is that ACL has to allow a whole /24 and not /25 for example.
ip address 188.8.131.52 255.255.255.128 seconda
ip address 184.108.40.206 255.255.255.128
ip access-group 133 in
frame-relay map ip 220.127.116.11 102 broadcast
frame-relay map ip 18.104.22.168 102 broadcast
Rack1R1#sh ip access-lists 133
Extended IP access list 133
10 permit icmp 22.214.171.124 0.0.0.255 any (15 matches)
20 permit icmp 126.96.36.199 0.0.0.255 any (60 matches)
can have either 188.8.131.52 or 184.108.40.206.
and it is not a frame relay mapping problem. I can ping accross when ACL is out.
Is there any rules when secondary ranges are used
I am not understanding your question very well. You make a comment that the ACL needs to permit /24 and not /25. We do not know what you did, but I have configured ACLs similar to what you have with /25 and it has worked well. Perhaps you can post what you attempted to configure for /25 and we might see what the issue is. I am guessing that you did not have the correct mask for filtering /25 (which should be 0.0.0.127).
I am not aware of any rules about access lists and secondary addressing. There are a few rules in general for using secondary addressing. Probably the most important is that all routers in the subnet should use the same addressing/subnet as primary. Also it is best if all routers in the subnet have the same list of secondary addresses.
Are you saying that with this access list in place that you can not ping but when the access list is removed that you can ping? Where are you pinging from? What addresses are you pinging?