Using the example shown in Figure
, assume that
Host A is a Telnet client attempting to access the Telnet server on Host E.
The network engineer can use a protocol analyzer on the Host A network
to confirm that the packets are being generated and sent to the router. At this
point, the network engineer should notice that the configuration and operation
of Host A appears to be correct and that no reply packets are being received. A
protocol analyzer running on the remote network is reporting that no Telnet
packets are being received. Based on this information, the network engineer can
assume there is a problem with at least one of the routers.
Because the
access list on Router C is complex, there does not appear to be any problem
when the network engineer gives the configuration a visual check using
show ip access-list. To be sure the deny ip any
any log statement is configured to highlight any packets not being
permitted through the ACL. The messages generated by the ACL logging highlight
a misconfiguration that would have otherwise gone unnoticed, which is fixed by
the network engineer. The ACL is updated and the show ip
access-list command is used again to confirm that packets are being
matched by the new access list element entered for the Telnet traffic.
Because the problem has still not been solved, the network engineer moves to
the configuration of Router D. The ACL filtering inbound traffic on the serial
interface is permitting the Telnet traffic and the packet counter against the
appropriate ACE is incrementing with traffic.
Using a protocol analyzer,
the network engineer should confirm that the Telnet packets are now reaching
the network of Host E and that replies are being sent back to Host A. The
protocol analyzer on the network of Host A, however, is not able to see any of
these Telnet packets. It appears as though there is another problem on one of
the routers.
The access lists on Router D are not as complex as those on
Router C and the network engineer immediately spots and corrects a
configuration error.
The next test works and the problem is considered
resolved. The final activity the network engineer should perform is to remove
any unnecessary configuration changes to the network. Using the log of
activities generated during troubleshooting, the network administrator
identifies that the use of the deny ip any any log command
only provided diagnostic information and can be removed from the configuration.