7.3 Troubleshoot ACLs (7.3.1 Processing packets with ACLs (22.214.171.124 Cisco…
7.3 Troubleshoot ACLs
7.3.1 Processing packets with ACLs
126.96.36.199 The implicit Deny Any
A single-entry ACL with only one deny entry has the effect of denying all traffic. At least one permit ACE must be configured in an ACL or all traffic is blocked.
188.8.131.52 The order of ACEs in an ACL
Cisco IOS applies an internal logic when accepting and processing standard ACEs. As discussed previously, ACEs are processed sequentially; therefore, the order in which ACEs are entered is important.
184.108.40.206 Cisco IOS Reorders standard ACLs
The order in which standard ACEs are entered may not be the order that they are stored, displayed, or processed by the router.
The show running-config command is used to verify the ACL configuration. Notice that the statements are listed in a different order than they were entered. We will use the show access-lists command to understand the logic behind this.
The order in which the standard ACEs are listed is the sequence used by the IOS to process the list. Notice that the statements are grouped into two sections, host statements followed by range statements. The sequence number indicates the order that the statement was entered, not the order the statement will be processed
220.127.116.11 Routing Process and ACLs
If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is tested against the statements in the list.
If the packet matches a statement, the packet is either permitted or denied. If the packet is accepted, it is then checked against routing table entries to determine the destination interface. If a routing table entry exists for the destination, the packet is then switched to the outgoing interface, otherwise the packet is dropped.
Next, the router checks whether the outgoing interface has an ACL. If an ACL exists, the packet is tested against the statements in the list.
7.3.2 Common IPv4 Standard ACL Errors
18.104.22.168 Troubleshooting Standard IPv4 ACLs Example 1
Using the show commands described earlier reveals most of the more common ACL errors. The most common errors are entering ACEs in the wrong order and not specifying adequate ACL rules. .
Solution: All access out the G0/0 interface to the 192.168.30.0/24 LAN is currently implicitly denied. Add a statement to ACL 10 to permit all other traffic, as shown in Figure 2. PC1 should now be able to access the file server. Output from the show access-list command verifies that a ping from PC1 to the File Server matches the permit any statement.
22.214.171.124 Troubleshooting Standard IPv4 ACLs Example 2
In Figure 1, PC2 cannot access PC1. Nor can it access the Internet through R2. When viewing the output of the show access-list command, you can see that PC2 is matching the deny statement.
Solution: To correct this error, remove ACL 20 from the G0/1 interface and apply it outbound on the G0/0 interface, as shown in Figure 3. PC2 cannot access PC1, but can now access the Internet.
126.96.36.199 Troubleshooting Standard IPv4 ACLs Example 3
In Figure 1, PC1 is unable to remotely access R1 using an SSH connection. Viewing the running configuration section for the VTY lines reveals that an ACL named PC1-SSH is correctly applied for inbound connections.
Solution: Figure 2 shows the process for correcting the error. Because the statement that needs to be corrected is the first statement, we use the sequence number 10 to delete it by entering no 10. We then configure the correct IPv4 address for PC1. The clear access-list counters command resets the output to only show new matches.