Exam ScenariosCCNA 200-301

ACL Processing Order — Top-Down Implicit Deny Trap

Presenting Symptom

Users in the Sales VLAN cannot reach the Internet, but they can reach other internal VLANs.

Network Context

A small branch office with a single router-on-a-stick topology: Router (Cisco 4321, IOS XE 16.9) connected to a Layer 3 switch (Cisco 3650). The router has an ACL applied inbound on its subinterface for VLAN 10 (Sales). The ACL is intended to permit HTTP/HTTPS traffic to the Internet but deny all other traffic. Internal routing between VLANs works via the switch's SVI.

Diagnostic Steps

Check if the ACL is applied and inspect its entries

show access-lists 100

Extended IP access list 100
    10 permit tcp any any eq 80
    20 permit tcp any any eq 443
    30 deny ip any any (4 matches)

The ACL shows only two permit entries for HTTP/HTTPS and a final deny all. The match count on the deny entry indicates traffic is being dropped. If the ACL had a permit ip any any at the end, the problem would be elsewhere.

Verify ACL application on the interface

show ip interface gigabitethernet 0/0.10

GigabitEthernet0/0.10 is up, line protocol is up
  Internet address is 10.10.10.1/24
  Inbound access list is 100

Confirms ACL 100 is applied inbound on the subinterface. If the ACL were applied outbound or on the wrong interface, traffic would not be filtered as expected.

Check if the ACL is blocking return traffic or other required traffic

show access-lists 100 | include matches

    30 deny ip any any (4 matches)

The match count on the deny entry shows that traffic is being dropped. Since the ACL only permits HTTP/HTTPS, any other traffic (e.g., DNS, ICMP) is denied. The problem is that the ACL is too restrictive.

Determine what traffic is being dropped by examining logs or using debug

debug ip packet 100 detail

IP: s=10.10.10.10 (GigabitEthernet0/0.10) d=8.8.8.8, len 60, access list 100 denied

The debug output shows packets being denied by ACL 100. In this case, a DNS query to 8.8.8.8 is denied because DNS uses UDP port 53, which is not permitted. This confirms the ACL is blocking necessary traffic.

Root Cause

The ACL applied inbound on the Sales VLAN subinterface only permits HTTP (TCP/80) and HTTPS (TCP/443) traffic. It implicitly denies all other traffic, including DNS (UDP/53) which is required for name resolution, and ICMP for troubleshooting. As a result, users cannot browse the Internet because DNS queries are blocked.

Resolution

Modify the ACL to permit necessary traffic such as DNS and ICMP, and ensure the implicit deny remains at the end. Router(config)# ip access-list extended 100 Router(config-ext-nacl)# 5 permit udp any any eq 53 Router(config-ext-nacl)# 15 permit icmp any any Router(config-ext-nacl)# end This adds permit statements for DNS (UDP/53) and ICMP before the deny all. The order matters: new entries are inserted by sequence number. The existing permit entries (10,20) remain; the new entries are added at 5 and 15.

Verification

Verify the updated ACL and test connectivity. Router# show access-lists 100 Extended IP access list 100 5 permit udp any any eq 53 (5 matches) 10 permit tcp any any eq 80 15 permit icmp any any 20 permit tcp any any eq 443 30 deny ip any any (0 matches) Router# ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5) The ping succeeds and the deny match count remains 0, confirming that necessary traffic is now permitted.

Prevention

1. When designing ACLs, always consider all required traffic types (e.g., DNS, DHCP, ICMP) and permit them explicitly before the deny all. 2. Use ACL sequence numbers to insert rules in the correct order without removing the entire ACL. 3. Test ACLs in a lab or staging environment before deploying to production to avoid blocking critical services.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where an ACL is too restrictive. The exam tests the candidate's understanding of ACL processing order (top-down, first match) and the implicit deny any at the end. Expect multiple-choice questions asking 'What is the problem?' or drag-and-drop to reorder ACL entries. Key fact: ACLs process in order; the first matching rule is applied; if no match, the packet is denied by the implicit deny any.

Exam Tips

Remember that ACLs have an implicit deny any at the end; always permit required traffic explicitly.

When troubleshooting ACLs, check the match counts on each entry to see which rule is being hit.

Use 'show access-lists' to view match counts and 'show ip interface' to verify ACL application direction.

Commands Used in This Scenario

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

show ip interface

Displays the status and configuration of all IP interfaces on a Cisco router, including IP address, protocol status, and interface statistics, used for verifying interface IP configuration and troubleshooting connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions