Ruijie Community

Title: How to configure ACL counting for Ruijie switches to locate the packets loss? [Print this page]

---

Author: zhangqiao@ruiji    Time: 2024-12-25 17:41
Title: How to configure ACL counting for Ruijie switches to locate the packets loss?
Introduction

When packet loss occurs on the network, the ACL counting function can be used to locate the packet loss point, facilitating further troubleshooting.
(Note: Not all switches support this feature. If the device supports the
ip access-list count
command, it should support this function. It is recommended to verify based on the actual situation.)
Configuration

Topology

S86(gi1/1:20.1.1.2)--- (gi0/2:20.1.1.1)S5750(gi0/1:10.1.1.254)-----PC  (10.1.1.1)
（The gateway for the PC is in S57,S57 and  S86 are connected via L3 interfaces）
Issue to resolve

The PC is pinging the S86 and experiencing packet loss, but it is unclear on which device the packets are being dropped.
Using ACL Counting to Locate the Packet Loss Point

You can apply an ACL on both the in and out directions of the gi0/2 port on the S5750 and the gi1/1 port on the S86.
(1) Creating ACL 100 and 101 on the S5750 switch

Ruijie#  conf terminal   // Enter global configuration  mode   Ruijie(config)# ip access-list extend 100    // Create ACL 100   Ruijie(config-ext-nacl)# permit ip host 10.1.1.1 host 20.1.1.2   // Match packets from the PC to S86   Ruijie(config-ext-nacl)# permit ip any any    // ACL by default denies all, this rule is required to allow all  traffic, otherwise the network will be cut off      Ruijie(config)# ip access-list extend 101    // Create ACL 101   Ruijie(config-ext-nacl)# permit ip host 20.1.1.2 host 10.1.1.1   // Match return packets from S86 to the PC   Ruijie(config-ext-nacl)# permit ip any any    // ACL by default denies all, this rule is required to allow all  traffic, otherwise the network will be cut off      Ruijie# conf terminal   // Enter global  configuration mode   Ruijie(config)# ip access-list extend 102    // Create ACL 102   Ruijie(config-ext-nacl)# permit ip host 10.1.1.1 host 20.1.1.2   // Match packets from the PC to S86   Ruijie(config-ext-nacl)# permit ip any any    // ACL by default denies all, this rule is required to allow all  traffic, otherwise the network will be cut off      Ruijie(config)# ip access-list extend 103    // Create ACL 103   Ruijie(config-ext-nacl)# permit ip host 20.1.1.2 host 10.1.1.1   // Match return packets from S86 to the PC   Ruijie(config-ext-nacl)# permit ip any any    // ACL by default denies all, this rule is required to allow all  traffic, otherwise the network will be cut off      Ruijie(config)# ip access-list count 100    // Enable counting for ACL 100   Ruijie(config)# ip access-list count 101    // Enable counting for ACL 101   Ruijie(config)# ip access-list count 102    // Enable counting for ACL 102   Ruijie(config)# ip access-list count 103    // Enable counting for ACL 103

(2) Creating ACL 100 and 101 on the S86 switch

Ruijie#conf  terminal   // Enter global  configuration mode   Ruijie(config)# ip access-list extend 100    // Create ACL 100   Ruijie(config-ext-nacl)# permit ip host 10.1.1.1 host 20.1.1.2   // Match packets from the PC to S86   Ruijie(config-ext-nacl)# permit ip any any    // ACL by default denies all, this rule is required to allow all  traffic, otherwise the network will be cut off      Ruijie(config)# ip access-list extend 101    // Create ACL 101   Ruijie(config-ext-nacl)# permit ip host 20.1.1.2 host 10.1.1.1   // Match return packets from S86 to the PC   Ruijie(config-ext-nacl)# permit ip any any    // ACL by default denies all, this rule is required to allow all  traffic, otherwise the network will be cut off      Ruijie(config)# ip access-list count 100    // Enable counting for ACL 100   Ruijie(config)# ip access-list count 101    // Enable counting for ACL 101

(3) Applying ACLs on the Devices
S5750

Ruijie(config)#  int g0/2   // Enter the upstream port  on the S5750   Ruijie(config-if-GigabitEthernet 0/2)# ip access-group 100 out   // Apply ACL 100 on the outbound direction   Ruijie(config-if-GigabitEthernet 0/2)# ip access-group 101 in   // Apply ACL 101 on the inbound direction      Ruijie(config)# int g0/1   // Enter the  downstream port on the S5750   Ruijie(config-if-GigabitEthernet 0/1)# ip access-group 102 in   // Apply ACL 102 on the inbound direction   Ruijie(config-if-GigabitEthernet 0/1)# ip access-group 103 out   // Apply ACL 103 on the outbound direction

S86

Ruijie(config)#  int g1/1   // Enter the downstream port  on the S86   Ruijie(config-if-GigabitEthernet 1/1)# ip access-group 100 in   // Apply ACL 100 on the inbound direction   Ruijie(config-if-GigabitEthernet 1/1)# ip access-group 101 out   // Apply ACL 101 on the outbound direction

(4) Begin Ping Packet Testing
Next, ping 10.1.1.1 from the S86 with 100 packets.
Under normal circumstances, ACL 100 on both theS5750 and S86 should match 100 packets for the rule permit ip host 10.1.1.1host 20.1.1.2, and ACL 101 should also match 100 packets for the rule permit iphost 20.1.1.2 host 10.1.1.1.
Testing results are as follows:

You can check the current ACL match results on theS86 and S5750 devices by using the commands show access-list 100 and showaccess-list 101.
S86:
show access-lists

S5750:

ACL Troubleshooting Results

Through the above tests, it was found that the S86 can send packets but does not receive responses from the terminal. The packet loss point is on the downstream device of the S5750. You can apply ACLs on the downstream switch to further pinpoint the packet loss location.

---

Welcome to Ruijie Community (https://community.ruijienetworks.com/)

Powered by Discuz! X3.2