RST-3508
9805_05_2004_c2
RST-3508
9805_05_2004_c2
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
When ACLs Are Misbehaving
ACLs Passing or Dropping Traffic when They Are
Not Supposed to
Remove ACL and see if drops are still there
•
Check access-list counters
•
Use
clear access-list counters
with
show access-list
Counters update every 15 seconds
If the packets are hitting some deny entry, then the packet will be
dropped...check your configuration
Check interface counters to make sure that the box is indeed
•
receiving packets
Remember implicit IP deny any any at the end of an ACL—
•
make it explicit
Check CPU utilization
•
If packets are being processed in software...there can be drops
© 2004 Cisco Systems, Inc. All rights reserved.
Miscellaneous ACL Considerations
Fragments are being permitted
•
Layer 4 information is available only in the first fragment
Fragments are being dropped
•
Tiny fragments are dropped to prevent DOS attacks
TOS/DSCP fields are not being matched correctly
•
Check the trust state of the port
© 2004 Cisco Systems, Inc. All rights reserved.
command, and then check the statistics
91
91
91
92
92
92