System information
Troubleshooting TCP/IP
Book Title
7-112
Misconfigured Access List Example
Misconfigured access lists can cause connectivity and performance problems. In the environment
shown in Figure 7-12, the network administrator can successfully reach Router Z from Router X
using the telnet and ping commands. However, when attempts are made to trace the route using the
trace command, the connection fails.
Figure 7-12 A Misconfigured Access List Sample Network
When examining the configuration of Router Y, the network administrator finds the following
extended access list configured on the router:
C4500#show ip access-lists
Extended IP access list 101
permit tcp any any eq telnet
permit icmp any any
C4500#show running-config
[...]
interface Serial0
ip address 192.168.54.92 255.255.255.0
ip access-group 101 out
[...]
The access list permits only ICMP (used by the ping application) and TCP (used by the Telnet
application) traffic to pass serial interface 0. Any traffic destined for UDP ports, including the default
ports used by the trace application (UDP ports 33434 and above), is implicitly denied.
To allow trace traffic to pass through Router Y, the network administrator makes the following
change to the access list:
C4500#configure terminal
C4500(config)#access-list 101 permit udp any any gt 33433
C4500(config)#^Z
C4500#
%SYS-5-CONFIG_I: Configured from console by console
C4500#show ip access-lists
Extended IP access list 101
permit tcp any any eq telnet
permit icmp any any
permit udp any any gt 33433
C4500#
TCP/IP: Problems Forwarding BOOTP and Other UDP Broadcasts
Symptom: Problems occur when forwarding BOOTP or other UDP broadcast packets. UDP
broadcasts sent from network hosts are not forwarded by routers. Diskless workstations cannot boot.
Table 7-7 outlines the problems that might cause this symptom and describes solutions to those
problems.
Table 7-7 TCP/IP: Problems Forwarding BOOTP and Other UDP Broadcasts
Router X Router Y Router Z
S0