Troubleshooting ACL Configuration on AR Devices: Rule Order and Interface Application

Problem Description An ACL is configured on an AR device to permit a whole subnet to access the Internet while denying specific PCs, but the denied PCs are still able to reach the Internet.

Investigation Process

1. Check the ACL configuration. The deny rule must be placed before any permit rule. Example original configuration:

acl 2001
rule 5 permit source 192.168.1.0 0.0.0.255
rule 10 deny source 192.168.1.3 0

2. Verify whether the ACL is applied on the external interface:

int g0/0/1
nat outbound 2001

Root Cause

1. The deny statement was placed after the permit statement, so traffic matched the permit rule first.

2. The ACL was not applied on the external interface with traffic-filter acl 2001; without this, the denied internal users bypass NAT and can still reach the external network.

Solution

1. Modify the ACL so that the deny rule precedes the permit rule:

acl 2001
rule 5 deny source 192.168.1.3 0
rule 10 permit source 192.168.1.0 0.0.0.255

2. Apply the ACL on the external interface:

int g0/0/1
nat outbound 2001
traffic-filter acl 2001

Recommendations and Summary

1. Pay careful attention to the order of ACL rules; deny rules should appear before permit rules.

2. When blocking PCs by IP address, the ACL must be applied on the external interface; otherwise the blocked IPs will only be prevented from undergoing NAT, not from accessing the Internet.

3. If the ACL is applied on the internal interface, the traffic‑filter will prevent the PC from reaching the internal gateway; if applied on the external interface, the PC can reach the internal gateway but cannot access the external network.