Courseiva
ACLCCNA 200-301

ACL Applied to Wrong Interface or Direction

Presenting Symptom

Users in VLAN 10 cannot reach the internet, but they can reach other internal subnets.

Network Context

A small branch office with a single router-on-a-stick topology. The router (Cisco 4321, IOS 15.9) connects to a Layer 3 switch via a trunk link. The router has an ACL 100 applied to its WAN interface (GigabitEthernet0/0/0) to filter traffic to the internet. The ACL is intended to permit only specific internal subnets, but users in VLAN 10 (192.168.10.0/24) are being blocked.

Diagnostic Steps

1

Check ACL configuration and applied interfaces

show running-config | section access-list
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 deny ip any any

The ACL only permits traffic from 192.168.20.0/24, not from 192.168.10.0/24. This indicates the ACL is missing a permit statement for VLAN 10.

2

Verify where the ACL is applied

show ip interface GigabitEthernet0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
  Internet address is 203.0.113.1/30
  Inbound access list is 100
  Outgoing access list is not set

ACL 100 is applied inbound on the WAN interface. This means traffic from the internal network to the internet is filtered as it enters the WAN interface. The ACL should be applied outbound on the LAN interface or inbound on the WAN interface with correct source addresses.

3

Check routing and verify traffic path

show ip route
S*    0.0.0.0/0 [1/0] via 203.0.113.2
      192.168.10.0/24 is directly connected, Vlan10
      192.168.20.0/24 is directly connected, Vlan20

Routing is correct; the default route points to the ISP. The issue is not routing but the ACL filtering.

4

Test ACL with a specific permit for VLAN 10

access-list 100 permit ip 192.168.10.0 0.0.0.255 any
No output (command executed successfully)

Adding the missing permit statement should allow traffic from VLAN 10. However, the root cause is that the ACL was applied to the wrong interface/direction; it should be applied outbound on the LAN interface to filter traffic leaving the internal network.

Root Cause

ACL 100 is applied inbound on the WAN interface (GigabitEthernet0/0/0) instead of outbound on the LAN interface (e.g., subinterface GigabitEthernet0/0/1.10). This causes the ACL to filter traffic based on source IP addresses as they enter the WAN interface, but the ACL was designed to permit only a specific subnet (192.168.20.0/24) and denies all others, including VLAN 10.

Resolution

Remove the ACL from the WAN interface and apply it outbound on the LAN subinterface that connects to VLAN 10 (or the trunk interface). Commands: 1. interface GigabitEthernet0/0/0 2. no ip access-group 100 in 3. exit 4. interface GigabitEthernet0/0/1.10 5. ip access-group 100 out 6. end Explanation: Removing the ACL from the WAN interface and applying it outbound on the VLAN 10 subinterface ensures that traffic is filtered as it leaves the internal network, with the correct source IP addresses.

Verification

Run 'show ip interface GigabitEthernet0/0/1.10' to confirm ACL is applied outbound. Then test connectivity from a host in VLAN 10 to the internet (e.g., ping 8.8.8.8). Expected output: successful ping replies.

Prevention

1. Always apply ACLs as close to the source as possible to avoid unintended filtering. 2. Use descriptive ACL names and document the intended direction (inbound/outbound) for each ACL. 3. Test ACLs with a permit any any statement temporarily to verify connectivity before applying restrictive rules.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where an ACL is applied to the wrong interface or direction. Candidates must know how to verify ACL placement using 'show ip interface' and interpret the output to identify misconfigurations. The exam tests the ability to determine whether an ACL is applied inbound or outbound and on which interface.

Exam Tips

1.

Remember that ACLs are applied to interfaces in a specific direction: inbound filters traffic entering the interface, outbound filters traffic leaving the interface.

2.

When troubleshooting ACL issues, always check both the ACL content and its application point using 'show ip interface'.

3.

A common exam trick: an ACL that permits only a specific subnet but is applied inbound on the WAN interface will block all other internal subnets because the source IP is checked before routing.

Commands Used in This Scenario

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

show ip interface

Displays the status and configuration of all IP interfaces on a Cisco router, including IP address, protocol status, and interface statistics, used for verifying interface IP configuration and troubleshooting connectivity issues.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions