ACL Packet Evaluation Tool

This tool lets you verify the intended action of an ACL. You can use the tool to define a packet and then evaluate whether it would be permitted or denied by an ACL. Test results are presented in the Editor tab, showing which rules allowed or denied the test packet.

  CAUTION: This tool only tests whether or not a defined packet will be denied or allowed based on the ACLs selected for the test. This tool will not verify that the packet will actually hit the selected ACLs based on other router configurations.

Use the following steps to use the Packet Evaluation Tool.

  1. Open the ACL Editor and select the ACL that you want to test in the left-panel tree.
  2. Click the Packet Eval Tool button at the bottom of the ACL Editor window. The ACL Packet Evaluation Tool opens.

    Packet Evaluation Tool

  3. Use the Packet Name drop-down list to select a previously defined packet to use with this test, or enter a new packet name. If you select a previously defined packet, you can use the packet as defined or modify parameters as needed for the current test. You do not need to enter a name if you will not be saving the packet.
  4. Use the IP Protocol drop-down list to select the protocol for this test packet. You can select a pre-defined well-known ID or select Other and enter a number.
  5. Enter the source IP address for this packet.
  6. Enter the destination IP address for this packet.
  7. Use the Source/Destination Port drop-down lists to specify the source/destination protocol port as one of the following values:
    • Don't Care  - bypass matching the source/destination port to the source/destination in the ACL rules, effectively matching any source/destination.
    • A pre-defined well-known TCP/UDP port.
    • Other - Select this value and then specify a port number (1 through 65535).
  8. Enter a TOS (Type of Service) value. TOS defines the one-byte TOS, IPv4 or IPv6 DS (Differentiated Service) field contained in the IP header of a frame for the test packet. The TOS can be set to a specific decimal number between 0 and 255.
     NOTE:IPv4 defines this field as setting the Precedence and Type of Service requested for a packet. IPv6 redefined this field as the DS (Differentiated Service) field containing a DSCP (Differentiated Service Codepoint) value, to define Per-Hop-Behavior (PHB) groups called Expedited Forwarding (EF) and Assured Forwarding (AF). For more information on these PHB groups, refer to RFC 2597 and RFC 2598.
  9. If ICMP is the selected IP Protocol type, a Message Type can be defined to allow or reject traffic based on the ICMP Message Type value. ICMPv6 message types 0 to 127 are with error messages and informational messages have message types from 128 to 255. When a Message Type is specified, an optional ICMP Message Code (0 to 255) can be used to create a more specific rule.
  10. The TCP connection check box is only enabled if (6) TCP is selected as the IP Protocol type. Select this checkbox if the packet being tested is supposed to be part of a TCP session that is already established.
  11. Click Save Packet to save this test packet for future testing. A name must be assigned to the packet before it can be saved.
  12. Click Evaluate Packet to perform the ACL test.
Test results showing which rules allowed or denied the test packet are presented in the Editor tab of the ACL Editor. The particular rules that match the defined packet are noted by a green arrow in the left column. When multiple rules apply, all are noted with an arrow. However, the first rule that matches in the list is the rule that determines whether the packet is forwarded or dropped.

When you have finished using the Packet Evaluation Tool, close the window and then use the Close Evaluate Rules button in the right-panel of the ACL Editor to remove the green arrows from the Editor tab.

Related Information

For information on related windows:

For information on related tasks:

Top