Lab 42: Debugging Network Traffic Using Extended ACLs

Lab Objective:

The objective of this lab exercise is for you to learn and understand how to create extended access control lists to troubleshoot the network using the debug ip packet command.

Lab Purpose:

Limiting debugging to specific traffic types using ACLs is a fundamental skill. Extended ACLs can be configured to match source and destination address, as well as Layer 4 protocols TCP and UDP. Using extended ACLs, you can debug specific types of traffic to troubleshoot a network. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to create and debug specific types of traffic using extended numbered ACLs.

Certification Level:

This lab is suitable for CCNA certification exam preparation.

Lab Difficulty:

This lab has a difficulty rating of 6/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 5 minutes.

Lab Topology:

Please use the following topology to complete this lab exercise:

Task 1:

Configure the hostnames on routers R1 and R3 as illustrated in the topology.

Task 2:

Configure R1 S0/0, which is a DCE, to provide a clock rate of 768 Kbps to R3. Configure the IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology.

Task 3:

Configure an extended ACL on R1 to match and permit all ICMP traffic. Use ACL number 111.

Task 4:

Enable detailed debugging on R1 using the debug ip packet 111 detail command. This ACL specifies that we are only going to be limiting debugging to the traffic type specified in the ACL, which is ICMP.

Task 5:

Ping R2 from R1. You should see some detailed information printed on the console on R1 based on your debugging. When you are done, disable debugging on R1.

Configuration and Verification

Task 1:

For reference information on configuring hostnames, please refer to earlier labs.

Task 2:

For reference information on configuring DCE clocking and IP addressing, please refer to earlier labs.

Task 3:

R1#conf t 
Enter configuration commands, one per line.  End with CTRL/Z. 
R1(config)#access-list 111 remark “Permit all ICMP traffic” 
R1(config)#access-list 111 permit icmp any any 
R1(config)#end 
R1#

Task 4:

R1#debug ip packet 111 detail 
IP packet debugging is on (detailed) for access list 111 
R1#

Task 5:

R1#ping 172.16.1.2 

Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

R1# 
*Mar  1 01:10:16.600: IP: tableid=0, s=172.16.1.1 (local), d=172.16.1.2 (Serial0/0), routed       via FIB
*Mar  1 01:10:16.600: IP: s=172.16.1.1 (local), d=172.16.1.2 (Serial0/0), len 100, sending 
*Mar  1 01:10:16.604:     ICMP type=8, code=0 
*Mar  1 01:10:16.608: IP: tableid=0, s=172.16.1.2 (Serial0/0), d=172.16.1.1 (Serial0/0), routed via RIB 
*Mar  1 01:10:16.608: IP: s=172.16.1.2 (Serial0/0), d=172.16.1.1 (Serial0/0), len 100, rcvd 3 
*Mar  1 01:10:16.608:     ICMP type=0, code=0 
*Mar  1 01:10:16.608: IP: tableid=0, s=172.16.1.1 (local), d=172.16.1.2 (Serial0/0), routed via FIB 
*Mar  1 01:10:16.608: IP: s=172.16.1.1 (local), d=172.16.1.2 (Serial0/0), len 100, sending 
*Mar  1 01:10:16.612:     ICMP type=8, code=0 
*Mar  1 01:10:16.616: IP: tableid=0, s=172.16.1.2 (Serial0/0), d=172.16.1.1 (Serial0/0), routed via RIB 
*Mar  1 01:10:16.616: IP: s=172.16.1.2 (Serial0/0), d=172.16.1.1 (Serial0/0), len 100, rcvd 3 
*Mar  1 01:10:16.616:     ICMP type=0, code=0 
R1#undebug all 
All possible debugging has been turned off

NOTE: Based on the ping, we can see that ICMP Type 8, Code 0 messages are being sent from R1 to R3 and ICMP Type 0, Code 0 messages are being sent from R3 to R1. You are required to know the different ICMP Types and Codes for the Cisco CCNA exam, so if you are not sure what these two codes are, now would be a good time to look them up. Make sure you commit the ICMP Types and Codes to memory.


Related Articles

Leave a Reply

avatar