7.3 Troubleshoot ACLs (7.3.1 Processing Packets with ACLs (184.108.40.206 …
Processing Packets with ACLs
The Implicit Deny Any
At least one permit ACE must be configured in an ACL or all traffic is blocked.
Network 192.168.10.0 will be permitted to access the networks reachable through S0/0/0, while 192.168.11.0 will not be allowed to access those networks.
In ACL 1, if a packet does not match the permit statement, it is discarded
A single-entry ACL with only one deny entry has the effect of denying all traffic
For the network in the figure, applying either ACL 1 or ACL 2 to the S0/0/0 interface of R1 in the outbound direction will have the same effect.
The Order of ACEs in an ACL
Cisco IOS applies an internal logic when accepting and processing standard ACEs.
As discussed previously, ACEs are processed sequentially; therefore, the order in which ACEs are entered is important.
Cisco IOS Reorders Standard ACLs
The order in which standard ACEs are entered may not be the order that they are stored, displayed, or processed by the router.
command is used to verify the ACL configuration. Notice that the statements are listed in a different order than they were entered.
We will use the show
command to understand the logic behind this.
The order in which the standard ACEs are listed is the sequence used by the IOS to process the list. Notice that the statements are grouped into two sections, host statements followed by range statements.
The sequence number indicates the order that the statement was entered, not the order the statement will be processed.
The host statements are listed first but not necessarily in the order that they were entered. The IOS puts host statements in an order using a special hashing function.
The resulting order optimizes the search for a host ACL entry. The range statements are displayed after the host statements. These statements are listed in the order in which they were entered.
Routing Processes and ACLs
the packet matches a statement, the packet is either permitted or denied. If the packet is accepted, it is then checked against routing table entries to determine the destination interface.
If a routing table entry exists for the destination, the packet is then switched to the outgoing interface, otherwise the packet is dropped.
If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is tested against the statements in the list.
As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame.
When a packet arrives at a router interface, the router process is the same, whether ACLs are used or not.
the router checks whether the outgoing interface has an ACL. If an ACL exists, the packet is tested against the statements in the list.
If the packet matches a statement, it is either permitted or denied.
If there is no ACL or the packet is permitted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.
Common IPv4 Standard ACL Errors
Troubleshooting Standard IPv4 ACLs - Example 2
The 192.168.11.0/24 network should not be able to access the 192.168.10.0/24 network.
PC2 cannot access PC1. Nor can it access the Internet through R2. When viewing the output of the show access-list command, you can see that PC2 is matching the deny statement. ACL 20 seems to be configured correctly. You suspect that it must be incorrectly applied and view the interface configurations for R1
Solution: To correct this error, remove ACL 20 from the G0/1 interface and apply it outbound on the G0/0 interface, as shown in Figure 3. PC2 cannot access PC1, but can now access the Internet.
Troubleshooting Standard IPv4 ACLs - Example 3
: Only PC1 is allowed SSH remote access to R1.
Solution: Figure 2 shows the process for correcting the error. Because the statement that needs to be corrected is the first statement, we use the sequence number 10 to delete it by entering no 10. We then configure the correct IPv4 address for PC1. The clear access-list counters command resets the output to only show new matches. An attempt from PC2 to remotely access R1 is successful, as shown in the output for the show access-list command.
Troubleshooting Standard IPv4 ACLs - Example 1
Using the show commands described earlier reveals most of the more common ACL errors.
The most common errors are entering ACEs in the wrong order and not specifying adequate ACL rules. Other common errors include applying the ACL using the wrong direction, the wrong interface, or the wrong source addresses.
: PC2 should not be able to access the File Server.
viewing the output of the show access-list command, only PC2 is explicitly denied there is no permit statement allowing other access.
Solution: All access out the G0/0 interface to the 192.168.30.0/24 LAN is currently implicitly denied. Add a statement to ACL 10 to permit all other traffic, as shown in Figure 2. PC1 should now be able to access the file server. Output from the show access-list command verifies that a ping from PC1 to the File Server matches the permit any statement.