When packet loss occurs on the network, the ACL counting function can be used to locate the packet loss point, facilitating further troubleshooting.
(Note: Not all switches support this feature. If the device supports the
ip access-list count
command, it should support this function. It is recommended to verify based on the actual situation.) Configuration
Topology
S86(gi1/1:20.1.1.2)--- (gi0/2:20.1.1.1)S5750(gi0/1:10.1.1.254)-----PC (10.1.1.1)
(The gateway for the PC is in S57,S57 and S86 are connected via L3 interfaces) Issue to resolve
The PC is pinging the S86 and experiencing packet loss, but it is unclear on which device the packets are being dropped. Using ACL Counting to Locate the Packet Loss Point
You can apply an ACL on both the in and out directions of the gi0/2 port on the S5750 and the gi1/1 port on the S86.
(1) Creating ACL 100 and 101 on the S5750 switch
Ruijie# conf terminal // Enter global configuration mode
Ruijie(config)# ip access-list extend 100 // Create ACL 100
Ruijie(config-ext-nacl)# permit ip host 10.1.1.1 host 20.1.1.2 // Match packets from the PC to S86
Ruijie(config-ext-nacl)# permit ip any any // ACL by default denies all, this rule is required to allow all traffic, otherwise the network will be cut off
Ruijie(config)# ip access-list extend 101 // Create ACL 101
Ruijie(config-ext-nacl)# permit ip host 20.1.1.2 host 10.1.1.1 // Match return packets from S86 to the PC
Ruijie(config-ext-nacl)# permit ip any any // ACL by default denies all, this rule is required to allow all traffic, otherwise the network will be cut off
Ruijie# conf terminal // Enter global configuration mode
Ruijie(config)# ip access-list extend 102 // Create ACL 102
Ruijie(config-ext-nacl)# permit ip host 10.1.1.1 host 20.1.1.2 // Match packets from the PC to S86
Ruijie(config-ext-nacl)# permit ip any any // ACL by default denies all, this rule is required to allow all traffic, otherwise the network will be cut off
Ruijie(config)# ip access-list extend 103 // Create ACL 103
Ruijie(config-ext-nacl)# permit ip host 20.1.1.2 host 10.1.1.1 // Match return packets from S86 to the PC
Ruijie(config-ext-nacl)# permit ip any any // ACL by default denies all, this rule is required to allow all traffic, otherwise the network will be cut off
Ruijie(config)# ip access-list count 100 // Enable counting for ACL 100
Ruijie(config)# ip access-list count 101 // Enable counting for ACL 101
Ruijie(config)# ip access-list count 102 // Enable counting for ACL 102
Ruijie(config)# ip access-list count 103 // Enable counting for ACL 103
(2) Creating ACL 100 and 101 on the S86 switch
Ruijie#conf terminal // Enter global configuration mode
Ruijie(config)# ip access-list extend 100 // Create ACL 100
Ruijie(config-ext-nacl)# permit ip host 10.1.1.1 host 20.1.1.2 // Match packets from the PC to S86
Ruijie(config-ext-nacl)# permit ip any any // ACL by default denies all, this rule is required to allow all traffic, otherwise the network will be cut off
Ruijie(config)# ip access-list extend 101 // Create ACL 101
Ruijie(config-ext-nacl)# permit ip host 20.1.1.2 host 10.1.1.1 // Match return packets from S86 to the PC
Ruijie(config-ext-nacl)# permit ip any any // ACL by default denies all, this rule is required to allow all traffic, otherwise the network will be cut off
Ruijie(config)# ip access-list count 100 // Enable counting for ACL 100
Ruijie(config)# ip access-list count 101 // Enable counting for ACL 101
(3) Applying ACLs on the Devices
S5750
Ruijie(config)# int g0/2 // Enter the upstream port on the S5750
Ruijie(config-if-GigabitEthernet 0/2)# ip access-group 100 out // Apply ACL 100 on the outbound direction
Ruijie(config-if-GigabitEthernet 0/2)# ip access-group 101 in // Apply ACL 101 on the inbound direction
Ruijie(config)# int g0/1 // Enter the downstream port on the S5750
Ruijie(config-if-GigabitEthernet 0/1)# ip access-group 102 in // Apply ACL 102 on the inbound direction
Ruijie(config-if-GigabitEthernet 0/1)# ip access-group 103 out // Apply ACL 103 on the outbound direction
S86
Ruijie(config)# int g1/1 // Enter the downstream port on the S86
Ruijie(config-if-GigabitEthernet 1/1)# ip access-group 100 in // Apply ACL 100 on the inbound direction
Ruijie(config-if-GigabitEthernet 1/1)# ip access-group 101 out // Apply ACL 101 on the outbound direction
(4) Begin Ping Packet Testing
Next, ping 10.1.1.1 from the S86 with 100 packets.
Under normal circumstances, ACL 100 on both theS5750 and S86 should match 100 packets for the rule permit ip host 10.1.1.1host 20.1.1.2, and ACL 101 should also match 100 packets for the rule permit iphost 20.1.1.2 host 10.1.1.1.
Testing results are as follows:
You can check the current ACL match results on theS86 and S5750 devices by using the commands show access-list 100 and showaccess-list 101.
S86:
show access-lists
S5750: ACL Troubleshooting Results
Through the above tests, it was found that the S86 can send packets but does not receive responses from the terminal. The packet loss point is on the downstream device of the S5750. You can apply ACLs on the downstream switch to further pinpoint the packet loss location.
This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.
Level 6
