Chapter 5. Debugging Access Lists
Once you’ve formatted access lists and used them to implement policies, how do you know if your access lists are correct? How can you find problems with them? We’ll look at these questions in this chapter, first verifying that your access lists are working correctly in the areas of router resource control, packet filtering, and route filtering. More generally, I will talk about how access lists can go wrong and what are the typical failure modes of access lists. Finally, we’ll look at some tips and tricks for debugging access lists in detail.
Router resource access control lists
In this section, I discuss how to debug router resource access lists. The first part describes how to check them for correctness since it doesn’t make sense to debug a list that is configured properly. The second part discusses what generally happens when access lists go wrong, and the last part goes over specifically how to debug router resource access lists.
Checking for correctness
In Chapter 3 we configured the router to control resources such as Telnet and time services. The approach to verifying if these access lists function correctly is very basic: test if access works correctly for those who are permitted, and test if access does not work for those who are not permitted. Let’s look at one of our early examples of router resource policies and look at how we can test it. In the first example in Chapter 2, we had a policy like the following:
Only the hosts at IP addresses ...
Get Cisco IOS Access Lists now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.