Please enable JavaScript.
Coggle requires JavaScript to display documents.
Topic 7.3 Troubleshoot ACLs (7.3.2.1 Troubleshooting Standard IPv4 ACLs…
Topic 7.3 Troubleshoot ACLs
7.3.2.1 Troubleshooting Standard IPv4 ACLs
Using the show commands described earlier reveals most of the more common ACL errors. The most common errors are entering ACEs in the wrong order and not specifying adequate ACL rules.
Other common errors include applying the ACL using the wrong direction, the wrong interface, or the wrong source addresses
Security Policy:
PC2 should not be able to access the File Server.
Although PC2 cannot access the File Server, neither can PC1. When viewing the output of the show access-list command, only PC2 is explicitly denied. However, there is no permit statement allowing other access
7.3.2.2 Troubleshooting Standard IPv4 ACLs
Security Policy:
The 192.168.11.0/24 network should not be able to access the 192.168.10.0/24 network.
PC2 cannot access PC1. Nor can it access the Internet through R2. When viewing the output of the show access-list command, you can see that PC2 is matching the deny statement. ACL 20 seems to be configured correctly. You suspect that it must be incorrectly applied and view the interface configurations for R1
The show run command filtered to view the interface configurations reveals that ACL 20 was applied to the wrong interface and in the wrong direction. All traffic from the 192.168.11.0/24 is denied inbound access through the G0/1 interface
7.3.2.3 Troubleshooting Standard IPv4 ACLs
Security Policy:
Only PC1 is allowed SSH remote access to R1.
PC1 is unable to remotely access R1 using an SSH connection. Viewing the running configuration section for the VTY lines reveals that an ACL named PC1-SSH is correctly applied for inbound connections. The VTY lines are correctly configured to only allow SSH connections.
From the output of the show access-list command, you notice that the IPv4 address is the G0/0 interface for R1, not the IPv4 address of PC1
The Implicit Deny Any
A single-entry ACL with only one deny entry has the effect of denying all traffic. At least one permit ACE must be configured in an ACL or all traffic is blocked.
The Order of ACEs in an ACL
Cisco IOS applies an internal logic when accepting and processing standard ACEs. As discussed previously, ACEs are processed sequentially; therefore, the order in which ACEs are entered is important
Cisco IOS Reorders Standard ACLs
The order in which standard ACEs are entered may not be the order that they are stored, displayed, or processed by the router.
Routing Processes and ACLs
When a packet arrives at a router interface, the router process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame.