3.2 Troubleshoot router security features
📘CCNP Enterprise – ENARSI (300-410)
1. What is an IPv4 ACL?
An Access Control List (ACL) is a set of rules that routers or switches use to permit or deny network traffic. ACLs are used for:
- Controlling which users or devices can access network resources.
- Filtering traffic for security or policy enforcement.
- Protecting sensitive network segments.
ACLs are processed top to bottom. The first matching rule applies, and if no rule matches, there is an implicit “deny all” at the end.
2. Types of IPv4 ACLs
There are three main types for the CCNP ENARSI exam:
A. Standard ACLs
- Number range: 1–99 and 1300–1999
- Purpose: Filter traffic based only on source IP address.
- Cannot filter by destination or protocol.
- Placement: Usually applied closest to the destination network to avoid blocking legitimate traffic.
Example Syntax:
access-list 10 permit 192.168.1.0 0.0.0.255
10→ ACL numberpermit→ Action (allow traffic)192.168.1.0 0.0.0.255→ Source network and wildcard mask
Apply to interface:
interface GigabitEthernet0/0
ip access-group 10 in
Key Exam Points:
- Only checks source IP.
- ACLs are processed top-down.
- Implicit deny at the end blocks everything else.
B. Extended ACLs
- Number range: 100–199 and 2000–2699
- Purpose: Filter traffic based on:
- Source IP
- Destination IP
- Protocol (TCP, UDP, ICMP)
- Ports or services (like HTTP, FTP, SSH)
- Placement: Usually applied closest to the source network to reduce unwanted traffic early.
Example Syntax:
access-list 110 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 80
110→ ACL numberpermit tcp→ Allow TCP protocol192.168.1.0 0.0.0.255→ Source network10.0.0.0 0.0.0.255→ Destination networkeq 80→ Only allow HTTP traffic
Apply to interface:
interface GigabitEthernet0/0
ip access-group 110 out
Key Exam Points:
- Can filter source, destination, protocol, and port.
- Use “in” or “out” depending on traffic direction.
- Top-down processing and implicit deny still apply.
C. Time-Based ACLs
- A special type of ACL that is active only during a specific time.
- Useful for restricting access during off-hours or limiting services at night.
Step 1: Define a time range
time-range WORK_HOURS
periodic weekdays 08:00 to 18:00
periodic weekdays 08:00 to 18:00→ Active Monday to Friday, 8 AM to 6 PM
Step 2: Apply time-range to ACL
access-list 110 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 80 time-range WORK_HOURS
Key Exam Points:
- ACL rules outside the time range are ignored.
- Useful for reducing risk and limiting network exposure.
3. Common Troubleshooting Steps
When ACLs block traffic unexpectedly, follow these steps:
Step 1: Verify ACL configuration
show access-lists
- Displays all ACLs and their permit/deny rules.
- Shows hit counts to see if a rule matches traffic.
Step 2: Check interface application
show running-config
- Ensure ACL is applied to the correct interface and direction (
inorout).
Step 3: Check order of rules
- ACLs are processed top-down.
- A deny before a permit can block traffic unexpectedly.
Step 4: Test traffic
- Use ping, traceroute, or Telnet/SSH to check connectivity.
- Compare with ACL hit counts to identify which rule is blocking.
Step 5: Verify time-based ACLs
show time-range
- Ensure the ACL is active during the testing time.
4. Exam Tips
- Remember the ranges: Standard (1–99, 1300–1999), Extended (100–199, 2000–2699)
- Standard ACLs → filter source only. Extended → filter source, destination, protocol, port.
- Placement matters:
- Standard: close to destination
- Extended: close to source
- Implicit deny: If traffic isn’t matched, it’s automatically denied.
- Use
show access-liststo troubleshoot efficiently. - Time-based ACLs can be tested with the router clock in mind.
✅ Key Commands Summary
| Command | Purpose |
|---|---|
| `access-list <number> permit | deny <source> <wildcard>` |
| `access-list <number> permit | deny <protocol> <source> <dest> eq <port>` |
time-range <name> | Define time-based ACL period |
show access-lists | Verify ACL hits and rules |
show running-config | Verify ACL applied on interfaces |
| `ip access-group <ACL> in | out` |
