APIC-EM Path Trace ACL Analysis Tool

In a previous lesson, I explained how to install APIC-EM and some of its basics. In this lesson, we’ll take a look at the path trace ACL analysis tool which is one of the topics on the blueprint of CCNA R&S.

In a previous lesson, I explained how to install APIC-EM and some of its basics. In this lesson, we'll take a look at the path trace ACL analysis tool which is one of the topics on the blueprint of CCNA R&S. I will use the following physical topology for this example: I used this to build the fo


I will use the following physical topology for this example:

apic em physical lab topology

I used this to build the following logical topology:

apic em logical topology lab

The routers above are running OSPF.  Let’s see if we can trace some traffic.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

R1

hostname R1
!
enable password Cisco123
!
ip domain name NETWORKLESSONS.LOCAL
!
username admin password 0 Cisco123
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.13.1 255.255.255.0
!
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.13.0 0.0.0.255 area 0
!
snmp-server community readonly RO
snmp-server community readwrite RW
!
line vty 5 9
 login local
 transport input ssh
!
end

R2

hostname R2
!
enable password Cisco123
!
ip domain name NETWORKLESSONS.LOCAL
username admin password 0 Cisco123
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.23.2 255.255.255.0
!
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 0
!
ip access-list extended NO_SSH
 deny   tcp host 192.168.12.1 any eq 22
 permit ip any any
!
snmp-server community readonly RO
snmp-server community readwrite RW
!
line vty 5 9
 login local
 transport input ssh
!
end

R3

hostname R3
!
enable password Cisco123
!
ip domain name NETWORKLESSONS.LOCAL
username admin password 0 Cisco123
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.13.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.23.3 255.255.255.0
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.13.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 0
!
ip http server
!
snmp-server community readonly RO
snmp-server community readwrite RW
!
line vty 5 9
 login local
 transport input ssh
!
end

SW1

hostname SW1
!
enable password Cisco123
!
username admin password 0 Cisco123
!
ip domain-name NETWORKLESSONS.LOCAL
!
interface FastEthernet0/1
 switchport access vlan 12
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 12
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 13
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport access vlan 12
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport access vlan 12
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip access-group R1_R3_HTTP in
!
interface Vlan12
 ip address 192.168.12.100 255.255.255.0
!
ip default-gateway 192.168.12.1
ip classless
!
ip access-list extended R1_R3_HTTP
 deny   tcp host 192.168.13.1 host 3.3.3.3 eq www
 permit ip any any
!
snmp-server community readonly RO
snmp-server community readwrite RW
!
line vty 5 9
 login local
 transport input ssh
line vty 10 15
 login
!
end

SW2

hostname SW2
!
enable password Cisco123
!
username admin password 0 Cisco123
!
ip domain-name NETWORKLESSONS.LOCAL
!
interface FastEthernet0/1
 switchport access vlan 13
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 23
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 23
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport access vlan 12
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport access vlan 12
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan12
 ip address 192.168.12.101 255.255.255.0
!
ip default-gateway 192.168.12.1
!
snmp-server community readonly RO
snmp-server community readwrite RW
!
line vty 5 9
 login local
 transport input ssh
line vty 10 15
 login
!
end

In the menu on the left side, select Path Trace:

apic em menu path trace

Select “Start new Path Trace”:

apic em start new path trace

Now we can enter a source and destination. Let’s select R1 as the source:

apic em menu path trace source router

Once you select the device, you can select one of its interfaces. Let’s pick FastEthernet 0/1:

apic em r1 interface fastethernet two

For the destination, we will use R3 and its loopback interface. We will select options and choose TCP as our protocol with destination port 80. For the source port, I’ll pick 50001. Make sure you select ACL trace:

apic em start new path trace acl option

Click on Start Trace and APIC-EM will do its magic. You will see the following screen:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 655 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

535 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. This is really Beautiful Tool.
    Thanks Rene!

  2. This is really sweet and informative, since I deal with ACLs consistently at work. Thanks again for the great work.

Ask a question or join the discussion by visiting our Community Forum