© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
919191
© 2004 Cisco Systems, Inc. All rights reserved.
RST-3508
9805_05_2004_c2
When ACLs Are Misbehaving
• Remove ACL and see if drops are still there
• Check access-list counters
Use clear access-list counters command, and then check the statistics
with show access-list
Counters update every 15 seconds
If the packets are hitting some deny entry, then the packet will be
dropped…check your configuration
• Check interface counters to make sure that the box is indeed
receiving packets
• Remember implicit IP deny any any at the end of an ACL—
make it explicit
• Check CPU utilization
If packets are being processed in software...there can be drops
ACLs Passing or Dropping Traffic when They Are
Not Supposed to
929292
© 2004 Cisco Systems, Inc. All rights reserved.
RST-3508
9805_05_2004_c2
Miscellaneous ACL Considerations
• Fragments are being permitted
Layer 4 information is available only in the first fragment
• Fragments are being dropped
Tiny fragments are dropped to prevent DOS attacks
• TOS/DSCP fields are not being matched correctly
Check the trust state of the port
To Next Page
Loading...
Need help?
General
