How to Troubleshoot ACL Errors

September 22, 2019

As discussed earlier, we can troubleshoot the ACL error using the show commands. The wrong-order ACEs are the most common ACL errors. This article will discuss some common errors in ACL configuration

ACL Error – Example 1

In the figure, host 192.168.2.2 has no HTTP or HTTPS access with 192.168.4.2. When entering the show access-lists command, matches are shown for the first deny statement, which indicates that traffic has matched this statement.

Now, look at the order of the entries. Host 192.168.2.2 has no connectivity with 192.168.4.2 because of the rule process ID 10 order in the access list. When the router processes ACLs from the top to down, statement 10 denies host 192.168.2.2 for TCP traffic, so statement 20 can never be matched. Statements 10 and 20 should be reversed. The third line allows all other non-TCP traffic under IP, such as ICMP, UDP, etc.

ACL Errors – Example 2

The network 192.168.2.0/24 cannot use TFTP to connect to the 192.168.4.2 server.

The 192.168.2.0/24 network cannot use TFTP to connect to 192.168.4.2 because TFTP uses UDP. However, when we use the show access-list command, the statement has no permit entry for UDP traffic.

The access list allows all other TCP traffic, and UDP is implicitly denied. The implied deny any statement does not appear in the show access-lists output, so matches are not shown. The third statement must be changed to ip any any instead of tcp any any.

ACL Errors – Example 3

In the topology in the figure, the 192.168.1.0/24 network can use Telnet to connect to 192.168.4.0/24, but this is not according to policy; this connection should not be allowed. The results of the show access-lists command show that the permit statement has been matched.

The 192.168.1.0/24 network can use Telnet because the Telnet port number in statement 10 of access-list 101 is listed incorrectly in the ACL statement.

It currently denies any source packet with a port number equal to Telnet. To deny Telnet traffic inbound on fa0/0, we need to deny the destination port number equal to Telnet. For example, deny TCP or any eq telnet.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How to Troubleshoot ACL Errors

ACL Error – Example 1

ACL Errors – Example 2

ACL Errors – Example 3

Like this:

Related

Asad Ijaz

How to Troubleshoot ACL Errors

ACL Error – Example 1

ACL Errors – Example 2

ACL Errors – Example 3

Share this:

Like this:

Related

Asad Ijaz