ACL error

Answered Question
Oct 4th, 2007
User Badges:

Hello,


When configuring an ACL on a 2950 using wildcard bits, it reports the following error below.



HAVC3003(config)#access-list 58 permit 10.2.0.0 255.255.255.0

%Error: The field sets of all the ACEs in an ACL should match


Yet if I configure the same on a 3750 switch, it accepts it happily. The ACL being configured should be for all entries below:


access-list 58 permit 10.2.240.1

access-list 58 permit 161.12.20.0 0.0.3.255

access-list 58 permit 10.2.0.0 255.255.255.0



2950 IOS: c2950-i6q4l2-mz.121-6.EA2a.bin


Can anyone shed any light please?


rgds

Phil


Correct Answer by royalblues about 9 years 9 months ago

Phil,


You need to use wildcard masks with ACLS on a router and not the normal subnet masks


The ACL's should be

access-list 58 permit host 10.2.240.1

access-list 58 permit 161.12.20.0 0.0.3.255

access-list 58 permit 10.2.0.0 0.0.0.255


HTH, rate if it does

Narayan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
phil_carter Thu, 10/04/2007 - 02:36
User Badges:

Hello,


ignore the wildcard on the above, it should read:


HAVC3003(config)#access-list 58 permit 10.2.0.0 0.0.0.255

%Error: The field sets of all the ACEs in an ACL should match


access-list 58 permit 10.2.240.1

access-list 58 permit 161.12.20.0 0.0.3.255

access-list 58 permit 10.2.0.0 0.0.0.255



2950 IOS: c2950-i6q4l2-mz.121-6.EA2a.bin


Can anyone shed any light please?


rgds

Phil



Correct Answer
royalblues Thu, 10/04/2007 - 02:37
User Badges:
  • Green, 3000 points or more

Phil,


You need to use wildcard masks with ACLS on a router and not the normal subnet masks


The ACL's should be

access-list 58 permit host 10.2.240.1

access-list 58 permit 161.12.20.0 0.0.3.255

access-list 58 permit 10.2.0.0 0.0.0.255


HTH, rate if it does

Narayan

royalblues Thu, 10/04/2007 - 03:00
User Badges:
  • Green, 3000 points or more

Phil,


You need to have consistent masks with the access-lists on the 2950 switches.

Try using the same mask on all the 3 entries and you should be ok


This is not a problem with 3750 switches.


I did read this somewhere on the CCO but i am not able to find the link


HTH, rate if it does

Narayan

phil_carter Thu, 10/04/2007 - 03:38
User Badges:

Hi,



Tried this but it still doesn't want to know:


HAVC3003(config)#no access-list 58

HAVC3003(config)#access-list 58 permit host 10.2.240.1

HAVC3003(config)#access-list 58 permit 10.2.0.0 0.0.0.255

%Error: The field sets of all the ACEs in an ACL should match


Any more ideas?


Thanks

Phil

royalblues Thu, 10/04/2007 - 03:48
User Badges:
  • Green, 3000 points or more

Phil,


Can you try the access-list as


access-list 58 permit 10.2.240.0 0.0.0.255

access-list 58 permit 10.2.0.0 0.0.0.255


Narayan

phil_carter Thu, 10/04/2007 - 04:53
User Badges:

Hmmm strange... if you add the wildcard entries first, and then the host addresses it takes them all ok...


HAVC3001(config)#access-list 58 permit 10.2.0.0 0.0.0.31

HAVC3001(config)#access-list 58 permit host 10.4.115.4

HAVC3001(config)#access-list 58 permit host 10.4.115.7


All working OK now - thanks for the help.


Phil

Actions

This Discussion