Using the show commands described earlier reveals most of the more common ACL errors. The most common errors are entering ACEs in the wrong order and not applying adequate criteria to the ACL rules.

Error Example 1

In the figure, host 192.168.10.10 has no connectivity with 192.168.30.12. When viewing the output of the show access-lists command, matches are shown for the first deny statement. This is an indicator that this statement has been matched by traffic.

Solution - Look at the order of the ACEs. Host 192.168.10.10 has no connectivity with 192.168.30.12 because of the order of rule 10 in the access list. Because the router processes ACLs from the top down, statement 10 denies host 192.168.10.10, so statement 20 can never be matched. Statements 10 and 20 should be reversed. The last line allows all other non-TCP traffic that falls under IP (ICMP, UDP, etc.).