5.3 Given a scenario, troubleshoot common issues with network services
Switching Issues
📘CompTIA Network+ (N10-009)
1. What is an ACL?
An Access Control List (ACL) is like a set of rules on a network device that controls which traffic is allowed or denied. ACLs can be applied on routers or switches to improve security, control traffic flow, and manage network resources.
- Think of ACLs as gatekeepers for network traffic.
- They check packets and decide whether to allow or block them based on certain rules.
2. Types of ACLs
There are two main types of ACLs:
a) Standard ACLs
- Filter traffic only by source IP address.
- Simple and fast, but less flexible.
- Usually applied closest to the destination in a network.
Example:
- Allow traffic from
192.168.1.10to pass. - Block all other traffic from other IP addresses.
b) Extended ACLs
- Filter traffic by source IP, destination IP, protocol type (TCP, UDP, ICMP), and port numbers.
- More advanced and flexible.
- Usually applied closest to the source in a network.
Example:
- Allow HTTP traffic (TCP port 80) from
192.168.1.10to10.0.0.5. - Block FTP traffic (TCP port 21) from any device.
3. How ACLs are applied on switches
Switches mostly use VLAN ACLs (VACLs) or port ACLs (PACLs):
- Port ACLs (PACLs)
- Applied on a specific switch port.
- Controls traffic entering or leaving that port.
- VLAN ACLs (VACLs)
- Applied to all devices in a VLAN.
- Controls traffic within the VLAN and traffic coming in/out of the VLAN.
4. Common ACL issues and troubleshooting
In the context of Network+ troubleshooting, ACLs can cause network problems if misconfigured. Here are common issues:
a) Traffic blocked unexpectedly
- Problem: Users cannot access a server or service.
- Cause: ACL rules are too restrictive or applied on the wrong interface/VLAN.
- Fix: Check ACL rules and ensure correct source, destination, and port permissions.
b) Traffic allowed unintentionally
- Problem: Sensitive resources are accessible to unauthorized devices.
- Cause: ACL rules are too permissive or ordered incorrectly.
- Fix: Review ACL order and rules; remember ACLs are processed top-down—the first match applies.
c) Misplaced ACLs
- Problem: Network performance issues or unnecessary blocks.
- Cause: ACL applied on the wrong interface or in the wrong direction (inbound/outbound).
- Fix: Ensure ACL is applied in the correct direction:
- Inbound: Traffic entering the interface.
- Outbound: Traffic leaving the interface.
d) Syntax errors
- Problem: ACL does not work at all.
- Cause: Typo in IP address, subnet mask, or protocol.
- Fix: Verify all ACL entries carefully.
5. Tips for ACL troubleshooting
- Check ACL order – Rules are processed from top to bottom. Once a packet matches, no further rules are checked.
- Check ACL placement – Ensure ACL is applied on the correct interface and in the correct direction.
- Test traffic with ping or traceroute – Identify whether traffic is blocked by ACL.
- Use logs – Many devices can log dropped packets; this helps identify which ACL rule caused the block.
- Remember implicit deny – All ACLs have an implicit “deny all” at the end, even if you don’t add it. You must explicitly allow traffic you want.
6. Exam-focused key points
For the CompTIA Network+ exam, remember:
| Topic | Key Points to Remember |
|---|---|
| ACL purpose | Control traffic, improve security, manage network access |
| Standard ACL | Filters by source IP only |
| Extended ACL | Filters by source/destination IP, protocol, port |
| Direction | ACL can be inbound or outbound |
| Common issues | Misplaced ACLs, overly strict/loose rules, syntax errors, traffic blocked/allowed unexpectedly |
| Implicit deny | All ACLs end with an automatic “deny all” rule” |
7. Quick IT Environment Example
- Scenario 1: A company wants only HR computers to access the HR server.
- Use a standard ACL on the HR VLAN router, allow HR PCs’ IPs, deny all others.
- Scenario 2: Only allow web traffic (HTTP/HTTPS) from Sales to the internet but block FTP.
- Use an extended ACL, specifying Sales subnet, destination ports 80/443 (allow), port 21 (deny).
ACLs are all about rules, order, and placement. Understanding these basics is enough to answer exam questions and troubleshoot ACL issues in real networks.
