Why does your perfectly written access list let some traffic through while blocking legitimate traffic that should be permitted? This is one of the most frustrating and common issues on the CCNA 200-301 exam and in real network engineering. Access Control Lists (ACLs) are a fundamental security tool, but their implicit deny-all logic and sequential processing mean a single misplaced entry can break connectivity for an entire department. In this chapter, we will systematically troubleshoot why an ACL blocks legitimate traffic, covering the most frequent misconfigurations, verification commands, and the precise logic Cisco IOS uses when processing ACLs. This directly maps to exam objective 5.6: Troubleshoot ACL issues.
Jump to a section
Imagine a nightclub with a very strict bouncer named ACL. The club has a rule: only people whose names are on the approved list can enter. The bouncer has a clipboard with a list of names, and he checks each person one by one. If he finds a match, he lets them in. If he reaches the end of the list without finding a match, he denies entry. This is exactly how a standard ACL works: it processes entries in order, and if no match is found, the packet is denied.
Now, imagine the club manager gives the bouncer an updated list. The first entry says: 'Deny anyone wearing a red shirt.' The second entry says: 'Permit Bob.' Bob walks up wearing a red shirt. The bouncer sees the red shirt first, denies Bob, and never checks the second entry. Bob is denied even though his name is on the permit list. This is the classic 'order matters' problem: a deny entry placed before a permit entry for the same traffic will block it.
Another scenario: the list has an entry: 'Permit anyone from the VIP section (subnet 10.0.0.0/24).' But the entry is written as 'permit 10.0.0.0 0.0.0.255' – which is correct. However, the bouncer is actually checking the source IP address from the ID card. If a person from the VIP section has an ID that shows 10.0.1.5 (because they moved to a different subnet), the bouncer won't match. That's a wildcard mask or source IP misconfiguration.
Finally, imagine the bouncer only checks people entering the front door, but the VIPs use a side entrance. The ACL is applied to the wrong interface or direction. The bouncer never sees them. This mirrors applying an ACL to the wrong interface or forgetting to apply it inbound vs outbound.
By understanding the bouncer's rigid, sequential logic, you can predict exactly why an ACL might block legitimate traffic: wrong order, wrong wildcard mask, wrong source/destination, or wrong application point.
What is an ACL and Why Does It Block Legitimate Traffic?
An Access Control List (ACL) is a sequential list of permit or deny statements that filter packets based on criteria such as source IP, destination IP, protocol, and port numbers. On Cisco IOS, ACLs are processed top-down: the router examines each packet against the first entry; if it matches, the action (permit/deny) is applied and no further entries are checked. If no match is found by the end of the list, the packet is implicitly denied. This implicit deny is the default behavior for all ACLs, and it is the most common reason legitimate traffic gets blocked — the traffic simply does not match any permit entry.
But there are many other reasons an ACL might block traffic that should be permitted. These include: - Incorrect order of entries: A deny entry that matches the traffic appears before a permit entry. Since processing stops at the first match, the traffic is denied. - Incorrect wildcard mask: A wildcard mask that is too broad or too narrow can cause the ACL to match unintended traffic or miss intended traffic. - Incorrect source/destination addresses: The ACL entry specifies the wrong IP address or subnet. - Incorrect protocol or port: For extended ACLs, specifying the wrong protocol (e.g., TCP vs UDP) or port number (e.g., 80 vs 8080). - Applied to the wrong interface or direction: The ACL is placed on the wrong interface, or the direction (in/out) is incorrect. - Missing entries for return traffic: For stateful traffic like TCP, the ACL must permit return packets (e.g., established connections). - Incorrect placement of 'established' keyword: Misunderstanding how the 'established' keyword works for TCP.
How ACLs Process Packets: Step-by-Step
When a packet enters or exits an interface (depending on the ACL direction), the router performs the following steps:
Check if ACL is applied: The router checks whether an ACL is applied to the interface in the direction of packet flow. If not, the packet is processed normally.
Start at the top of the ACL: The router examines the first ACE (Access Control Entry).
Match criteria: The router compares the packet's fields (source IP, destination IP, protocol, ports) against the ACE's criteria. For standard ACLs, only source IP is checked. For extended ACLs, source, destination, protocol, and ports are checked.
If match found: The router applies the action (permit or deny) and stops processing. The packet is either forwarded or dropped.
If no match: The router moves to the next ACE.
End of list: If no ACE matches, the packet is dropped (implicit deny).
Key States, Timers, and Defaults
Implicit deny: Every ACL has an implicit deny all at the end. It is not visible in the configuration but always exists.
Wildcard mask: Unlike subnet masks, wildcard masks use 0 to mean 'must match' and 1 to mean 'ignore'. For example, 0.0.0.255 means match the first three octets exactly, ignore the last octet.
ACL types: Standard (1-99, 1300-1999) and Extended (100-199, 2000-2699). Standard ACLs filter only on source IP; extended ACLs filter on source, destination, protocol, and ports.
Direction: Inbound ACLs filter packets arriving on the interface; outbound ACLs filter packets leaving the interface.
No timers: ACLs themselves have no timers; they are static unless configured with time-based ACLs (not in CCNA).
IOS CLI Verification Commands
To troubleshoot an ACL that blocks legitimate traffic, use these commands:
show access-lists [acl-number]: Displays all ACEs with match counts.
show ip interface [interface]: Shows which ACLs are applied inbound/outbound.
show running-config | include access-list: Shows ACL configuration.
debug ip packet [acl-number]: Debugs packets matching an ACL (use with caution).
Example output:
Router# show access-lists 100
Extended IP access list 100
10 permit tcp 10.0.0.0 0.0.0.255 any eq 80 (10 matches)
20 deny ip any any (5 matches)Here, entry 10 has 10 matches, meaning 10 packets were permitted. Entry 20 (the implicit deny) has 5 matches, meaning 5 packets were denied. If legitimate traffic is being denied, check the match counts: if the deny entry has matches, the traffic matches it. If no matches on any entry, the traffic is being dropped by implicit deny (or not reaching the interface).
How ACLs Interact with Related Protocols
Routing: ACLs filter packets after the routing decision is made (for outbound ACLs) or before (for inbound). The router still routes the packet even if it will be denied later.
NAT: If NAT is applied, the ACL sees the packet before or after translation depending on where the ACL is applied. This can cause confusion: an ACL that permits a private IP may not match after NAT translates it to a public IP.
VPN: ACLs can filter VPN traffic; misconfigurations can block tunnel establishment or data.
VLAN ACLs (VACLs): Not in CCNA, but similar logic applies at Layer 2.
Common Misconfiguration Patterns
Pattern 1: Deny before permit
access-list 100 deny ip 10.0.0.0 0.0.0.255 any
access-list 100 permit tcp 10.0.0.5 0.0.0.0 any eq 80Traffic from 10.0.0.5 to port 80 will be denied because the first entry matches all traffic from the 10.0.0.0/24 subnet (including .5).
Pattern 2: Wrong wildcard mask
access-list 100 permit tcp 10.0.0.0 0.0.0.0 any eq 80This permits only the single host 10.0.0.0 (which is a network address, not a host). It should be 0.0.0.255 for the subnet or host 10.0.0.5 for a specific host.
Pattern 3: Missing permit for return traffic
For TCP, you need to permit return packets. Using the established keyword can help, but it only matches packets with the ACK or RST bit set. If you forget to permit return traffic, the three-way handshake completes (SYN, SYN-ACK, ACK), but data packets from the server to the client may be dropped if they are not ACK packets.
Pattern 4: ACL applied to wrong interface/direction An ACL applied inbound on interface Gig0/0 will filter traffic entering that interface. If you apply it outbound on the same interface, it filters traffic leaving. Applying it to the wrong interface altogether (e.g., Gig0/1 instead of Gig0/0) will not affect traffic on Gig0/0.
Summary
Troubleshooting ACL blocking legitimate traffic requires a systematic approach: verify the ACL entries and order, check the wildcard masks, confirm the interface and direction, and use show commands to see match counts. Remember the implicit deny and that order matters.
Identify the affected traffic
Begin by determining exactly which traffic is being blocked. Ask: What source IP, destination IP, protocol, and port? Is it a specific host or an entire subnet? Use tools like ping, telnet, or traceroute to test connectivity. For example, if a web server at 10.0.0.5 is unreachable from clients on subnet 192.168.1.0/24, note the source (192.168.1.x), destination (10.0.0.5), protocol (TCP), and port (80). This information will guide your ACL review.
Verify ACL application and direction
Use `show ip interface` on the relevant router interfaces to see which ACLs are applied and in which direction. For example: ``` Router# show ip interface gigabitethernet 0/0 GigabitEthernet0/0 is up, line protocol is up Inbound access list is 100 Outbound access list is not set ``` This shows ACL 100 is applied inbound. If the traffic should be filtered as it enters this interface, this is correct. If the traffic originates from a different interface, the ACL may be on the wrong interface or direction.
Review ACL entries and order
Display the ACL with `show access-lists 100`. Examine each entry in order. Look for any deny statement that could match the legitimate traffic before a permit statement. For example: ``` Router# show access-lists 100 Extended IP access list 100 10 deny ip 192.168.1.0 0.0.0.255 any 20 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.5 eq 80 ``` Here, entry 10 denies all IP from the source subnet, so entry 20 will never be reached. The fix is to remove entry 10 or reorder (place permit first).
Check wildcard masks and addresses
Verify that the wildcard masks and IP addresses in the ACL entries exactly match the intended traffic. A common mistake is using a wildcard mask that is too broad (e.g., 0.0.0.0 for a single host) or too narrow (e.g., 0.0.0.255 for a /24 network but the source is a /25). For a specific host, use `host` keyword or `0.0.0.0` wildcard. For a subnet, ensure the wildcard is correct: for 192.168.1.0/24, wildcard is 0.0.0.255. Also check that the source/destination IP addresses are not reversed.
Verify protocol and port numbers
For extended ACLs, confirm that the protocol (TCP, UDP, ICMP, etc.) and port numbers are correct. For example, if you are permitting HTTP traffic, the port should be 80 (or 443 for HTTPS). A common error is using `eq 80` for TCP but the traffic is actually UDP (e.g., DNS uses UDP port 53). Use `show access-lists` to see match counts: if the permit entry has zero matches, the traffic may not match due to wrong protocol or port.
Check for return traffic issues
If the ACL is applied inbound on an interface that receives return traffic (e.g., from server to client), you must permit that return traffic. Use the `established` keyword for TCP to permit return packets that have the ACK or RST bit set. For example: ``` access-list 100 permit tcp any host 10.0.0.5 established ``` This allows packets from the server to the client that are part of an established connection. Without it, the three-way handshake may complete but data packets could be dropped. Alternatively, explicitly permit the return traffic by source/destination.
Test and verify with debug
After making changes, test connectivity again. Use `show access-lists` to see updated match counts. If still blocked, use `debug ip packet 100` (with caution in production) to see exactly which ACL entry matches the packet. For example: ``` Router# debug ip packet 100 IP: s=192.168.1.10 (Gig0/0), d=10.0.0.5, len 40, access list 100 denied ``` This shows the packet was denied by ACL 100. You can then check which entry caused the deny by looking at the match counts or using the `log` keyword on ACL entries.
In a real enterprise network, ACLs are used to enforce security policies between departments, such as allowing HR to access the payroll server while blocking other departments. A common scenario: the HR subnet is 10.10.10.0/24, and the payroll server is at 10.10.20.100. The network engineer configures an extended ACL on the core router's interface facing HR:
access-list 101 permit tcp 10.10.10.0 0.0.0.255 host 10.10.20.100 eq 443
access-list 101 deny ip any any
interface GigabitEthernet0/1
ip access-group 101 inBut HR users report they cannot access the payroll server. The engineer runs show access-lists 101 and sees zero matches on the permit entry but many matches on the implicit deny. After checking, they realize the payroll server actually uses port 8443, not 443. The fix is to change the port or permit both.
Another scenario: a company uses an ACL to block SSH access from the internet to their core router, but allow SSH from the management subnet (192.168.1.0/24). The ACL is applied inbound on the external interface:
access-list 102 permit tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 102 deny tcp any any eq 22However, the management station at 192.168.1.50 cannot SSH to the router's external IP. The engineer checks show ip interface and finds the ACL is applied outbound instead of inbound. After correcting the direction, SSH works.
Scale and performance: ACLs are processed in hardware on modern switches, but on routers they are processed in software, which can impact performance if the ACL has many entries. Best practice is to place the most specific and frequently matched entries at the top to reduce processing time. Misconfiguration can lead to security breaches or service outages. For example, if an ACL inadvertently permits all traffic from a malicious subnet, it can lead to data exfiltration. Conversely, blocking legitimate traffic can cause critical applications to fail, leading to downtime and user complaints. Always test ACL changes in a lab or during maintenance windows.
On the CCNA 200-301 exam, objective 5.6 (Troubleshoot ACL issues) is tested through scenario-based questions where you must identify why an ACL is blocking traffic that should be permitted. The exam expects you to know:
The order of ACEs matters: deny before permit blocks.
Implicit deny at the end of all ACLs.
Wildcard mask logic: 0 = match, 1 = ignore.
Standard ACLs filter only on source IP; Extended ACLs filter on source, destination, protocol, and port.
The established keyword for TCP return traffic.
How to apply ACLs to interfaces with ip access-group.
Common wrong answers and why candidates choose them: 1. "The ACL is missing a permit any any at the end" – While adding a permit any any would allow all traffic, it defeats the purpose of an ACL. The implicit deny is always present; the issue is usually an earlier deny or misconfiguration. Candidates think they need to explicitly permit everything else, but that is not the problem. 2. "The wildcard mask should be 255.255.255.0" – This shows confusion between subnet masks and wildcard masks. A wildcard mask of 255.255.255.0 means ignore the first three octets and match the last octet, which is almost never intended. Candidates often invert the mask. 3. "The ACL should be applied outbound instead of inbound" – While direction matters, the exam often tests whether the ACL is applied to the correct interface. Candidates may assume the answer is always to flip the direction, but the real issue could be the order or mask. 4. "The ACL is blocking ICMP" – If the question is about TCP traffic, ICMP may not be relevant. Candidates might focus on ping failing, but the real problem is the TCP permit.
Specific values and commands to memorize:
Standard ACL range: 1-99, 1300-1999.
Extended ACL range: 100-199, 2000-2699.
Wildcard mask for a host: host keyword or 0.0.0.0.
Wildcard mask for a /24 subnet: 0.0.0.255.
Command: ip access-group <acl-number> {in|out}.
Verification: show access-lists, show ip interface.
Decision rule for scenario questions:
1. Identify the traffic (source, destination, protocol, port).
2. Check the ACL entries in order. Does any deny match? If so, reorder or remove.
3. Check the wildcard masks. Are they correct for the intended subnet/host?
4. Check the interface and direction. Is the ACL applied where the traffic flows?
5. Check for return traffic. If TCP, is established used or is return traffic permitted?
Elimination strategy: If a question shows an ACL with a deny statement before a permit for the same traffic, the answer is likely "the order is incorrect." If the ACL uses a wildcard mask like 0.0.0.255 for a single host, it's a mask issue. If the ACL is applied to the wrong interface, the show ip interface output will reveal it.
ACLs process entries top-down; first match wins, and implicit deny at end.
Standard ACLs (1-99, 1300-1999) filter only on source IP; Extended ACLs (100-199, 2000-2699) filter on source, destination, protocol, and port.
Wildcard mask: 0 means must match, 1 means ignore; use 'host' for single IP or 0.0.0.0.
Apply ACL to interface with 'ip access-group <acl> {in|out}'.
Use 'show access-lists' to see match counts; 'show ip interface' to see applied ACLs.
The 'established' keyword permits TCP packets with ACK or RST bit set (return traffic).
Common misconfigurations: deny before permit, wrong wildcard mask, wrong interface/direction, missing return traffic permit.
These come up on the exam all the time. Here's how to tell them apart.
Standard ACL
Filters only on source IP address
Range: 1-99, 1300-1999
Placed close to destination (best practice)
No protocol or port filtering
Simpler to configure but less granular
Extended ACL
Filters on source IP, destination IP, protocol, and port
Range: 100-199, 2000-2699
Placed close to source (best practice)
Can filter specific applications (e.g., HTTP, SSH)
More complex but provides finer control
Mistake
An ACL with only permit statements will allow all traffic because there is no explicit deny.
Correct
Every ACL has an implicit deny at the end. If traffic does not match any permit, it is denied.
Candidates forget the implicit deny and think ACLs are permissive by default.
Mistake
The wildcard mask 0.0.0.255 means the same as subnet mask 255.255.255.0.
Correct
Wildcard mask 0.0.0.255 means match the first three octets exactly and ignore the last octet. It is the inverse of a subnet mask.
Candidates confuse subnet masks with wildcard masks because they look similar.
Mistake
An extended ACL can be applied to an interface without specifying the direction, and it will filter both inbound and outbound.
Correct
An ACL must be applied with a direction (in or out). It only filters traffic in that direction. Use 'ip access-group <acl> in' or 'out'.
Candidates think ACLs are bidirectional, but they are unidirectional.
Mistake
The 'established' keyword allows any TCP packet from a server to a client after a connection is established.
Correct
The 'established' keyword permits TCP packets that have the ACK or RST bit set, but it does not check if a connection was actually established. It is a simple filter, not stateful inspection.
Candidates overestimate the capability of 'established' and think it works like a firewall's stateful inspection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, ensure the permit statement is correct and matches the traffic. Check the order: if a deny statement appears before the permit, the deny will block the traffic. Also verify that the ACL is applied to the correct interface and direction. Use `show access-lists` to see if the permit entry has any matches. If it has zero matches, the traffic is not matching the criteria. Common issues include wrong wildcard mask, wrong source/destination IP, or wrong protocol/port. Remember the implicit deny: if no permit matches, traffic is denied.
An inbound ACL filters packets that arrive on the interface before they are routed. An outbound ACL filters packets that are leaving the interface after the routing decision. The same ACL can be applied in either direction, but the effect is different. For example, an inbound ACL on an interface filters traffic coming into that interface, while an outbound ACL on the same interface filters traffic going out. A common mistake is applying the ACL to the wrong direction, causing legitimate traffic to be blocked or unwanted traffic to pass.
The `established` keyword is used in extended ACLs to permit TCP packets that have the ACK or RST bit set. This is useful for allowing return traffic from a server to a client after the client initiated the connection. For example: ``` access-list 150 permit tcp any host 10.0.0.1 established ``` This permits any TCP packet from any source to host 10.0.0.1 that has the ACK or RST bit set. Note that it does not track connection state; it simply checks the bits. This is not a stateful firewall, so it can be spoofed. On the CCNA exam, remember that `established` only works for TCP and matches ACK/RST packets.
Yes, you can edit an ACL using sequence numbers. Use `ip access-list extended <name>` to enter ACL configuration mode, then use `sequence <number> permit/deny ...` to add or modify entries. You can also use `no sequence <number>` to remove an entry. Changes take effect immediately without removing the ACL from the interface. However, if you remove the entire ACL, the interface will have no filtering until you reapply it.
The `show access-lists` command displays each ACL entry with a sequence number, action, and criteria. It also shows a match count in parentheses (e.g., (10 matches)). This indicates how many packets have matched that entry. If an entry has zero matches, that rule has not been hit. The last entry is usually the implicit deny, which may show matches for denied packets. This command is essential for troubleshooting ACL issues.
ICMP is a different protocol (protocol number 1). If your ACL only permits TCP, ICMP packets will be denied by the implicit deny. To allow ping, you need a separate permit statement for ICMP, such as: ``` access-list 160 permit icmp any any ``` Or more specific: `permit icmp host 10.0.0.1 host 192.168.1.1 echo` for echo requests and `echo-reply` for replies.
A /28 subnet has a subnet mask of 255.255.255.240. The wildcard mask is the inverse: 0.0.0.15. To match a specific /28 network, say 192.168.1.0/28, use: ``` access-list 170 permit ip 192.168.1.0 0.0.0.15 any ``` Remember: wildcard mask = 255.255.255.255 - subnet mask. So 255.255.255.255 - 255.255.255.240 = 0.0.0.15.
You've just covered Troubleshoot: ACL Blocking Legitimate Traffic — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?