Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

ACL for secondary ip range

hi

I am testing following :

RTR1 has secondary ip address and an ACL allowing ICMP only from sources on prinmary and secondary range.

what I have noticed when pinging from 2 host from primary and secondary range is that ACL has to allow a whole /24 and not /25 for example.

config:

RTR1

interface Serial1/0

ip address 187.116.42.1 255.255.255.128 seconda

ip address 187.116.45.1 255.255.255.128

ip access-group 133 in

encapsulation frame-relay

no dce-terminal-timing-enable

frame-relay map ip 187.116.42.2 102 broadcast

frame-relay map ip 187.116.45.2 102 broadcast

Rack1R1#sh ip access-lists 133

Extended IP access list 133

10 permit icmp 187.116.45.0 0.0.0.255 any (15 matches)

20 permit icmp 187.116.42.0 0.0.0.255 any (60 matches)

RTRT2

can have either 187.116.42.2 or 187.116.45.2.

and it is not a frame relay mapping problem. I can ping accross when ACL is out.

Is there any rules when secondary ranges are used

TIA

Sam

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: ACL for secondary ip range

Sam

I am not understanding your question very well. You make a comment that the ACL needs to permit /24 and not /25. We do not know what you did, but I have configured ACLs similar to what you have with /25 and it has worked well. Perhaps you can post what you attempted to configure for /25 and we might see what the issue is. I am guessing that you did not have the correct mask for filtering /25 (which should be 0.0.0.127).

I am not aware of any rules about access lists and secondary addressing. There are a few rules in general for using secondary addressing. Probably the most important is that all routers in the subnet should use the same addressing/subnet as primary. Also it is best if all routers in the subnet have the same list of secondary addresses.

Are you saying that with this access list in place that you can not ping but when the access list is removed that you can ping? Where are you pinging from? What addresses are you pinging?

HTH

Rick

4 REPLIES
Cisco Employee

Re: ACL for secondary ip range

There is no such restriction. Can you show us the ACL you were using when it failed.

Regards,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Hall of Fame Super Silver

Re: ACL for secondary ip range

Sam

I am not understanding your question very well. You make a comment that the ACL needs to permit /24 and not /25. We do not know what you did, but I have configured ACLs similar to what you have with /25 and it has worked well. Perhaps you can post what you attempted to configure for /25 and we might see what the issue is. I am guessing that you did not have the correct mask for filtering /25 (which should be 0.0.0.127).

I am not aware of any rules about access lists and secondary addressing. There are a few rules in general for using secondary addressing. Probably the most important is that all routers in the subnet should use the same addressing/subnet as primary. Also it is best if all routers in the subnet have the same list of secondary addresses.

Are you saying that with this access list in place that you can not ping but when the access list is removed that you can ping? Where are you pinging from? What addresses are you pinging?

HTH

Rick

Re: ACL for secondary ip range

Hi Rick

ACL have always been a weak spot...now its embarassing..

yes were right reverse mask was incorrect it shoudl be 0.0.0.127 and not 0.0.0.128

Re: ACL for secondary ip range

I missed the basic rule for reverse mask...255- subnet mask.

169
Views
0
Helpful
4
Replies
CreatePlease to create content