How to Troubleshoot ACL Errors

We can troubleshoot the ACL error using the show commands as we discussed earlier. The wrong order ACEs are the most common ACL errors. This article will discuss some common errors in ACL configuration

ACL Error – Example 1

In the figure, host has no HTTP or HTTPS access with When entering the show access-lists command, matches are shown for the first deny statement. This is an indicator that this statement has been matched by traffic.

Now, look at the order of the entries. Host has no connectivity with because of the order of rule process ID 10 in the access list. When the router processes ACLs from the top to down, statement 10 denies host for TCP traffic, so statement 20 can never be matched. Statements 10 and 20 should be reversed. The third line allows all other non-TCP traffic that falls under IP, for example, ICMP, UDP, etc.

How to Troubleshoot ACL Errors 4

ACL Errors – Example 2

The network cannot use TFTP to connect to the server.

The network cannot use TFTP to connect to the because TFTP uses UDP but when we use the show access-list command the statement has no permit entry for UDP traffic.

The access list allows all other TCP traffic and the UDP is implicitly denied. The implied deny any statement does not appear in show access-lists output and therefore matches are not shown. The third statement must be changed to ip any any. Instead of tcp any any.

How to Troubleshoot ACL Errors 5

ACL Errors – Example 3

In the topology in the figure network can use Telnet to connect to, but it is not according to the policy, this connection should not be allowed. The results of the show access-lists command show that the permit statement has been matched.

The network network can use Telnet because the Telnet port number in statement 10 of access-list 101 is listed in the wrong position in the ACL statement.

It currently denies any source packet with a port number that is equal to Telnet. To deny Telnet traffic inbound on fa0/0, we need to deny the destination port number that is equal to Telnet, for example, deny tcp any any eq telnet.

How to Troubleshoot ACL Errors 6