S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
21-4
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
OL-9285-05
Chapter 21 Troubleshooting IP Access Lists
Initial Troubleshooting Checklist
Initial Troubleshooting Checklist
Begin troubleshooting IP-ACLs by checking the following issues:
Common Troubleshooting Tools in Fabric Manager
Choose
Switches > Security > IP ACL
to access IP-ACL configuration.
Common Troubleshooting Commands in the CLI
The following commands may be useful in troubleshooting IP-ACL issues:
•
show ip access-list
•
show ipv6 access-list
•
show interface
•
Use the
log-deny
option at the end of a filter condition to log information about packets that match
dropped entries. The log output displays the ACL number, permit or deny status, and port
information. Use the following CLI commands to ensure that the debug messages are logged to the
logfile for the kernel and ipacl facilities:
–
logging logfile SyslogFile 7
–
logging level kernel 7
–
logging level ipacl 7
IP-ACL Issues
This section describes troubleshooting ACLs and includes the following topics:
•
All Packets Are Blocked, page 21-5
•
No Packets Are Blocked, page 21-7
•
PortChannel Not Working with ACL, page 21-8
•
Cannot Remotely Connect to Switch, page 21-8
Checklist
Check off
Verify licensing requirements. See
Cisco MDS 9000 Family Fabric Manager
Configuration Guide
.
Verify that the access list has been applied to the interface.
Verify that the access list is not empty.
Verify the order of the rules in the access list.