6.4 Verify ACLs using the APIC-EM Path Trace ACL analysis tool

This simple little section took me over 3 weeks to finally complete. Now I wasn’t studying for those whole weeks just failing to get this APIC-EM to boot/install.

I eventually had to upgrade my $180 server to a $380 server by buying more RAM ($120 and two cpus $80).

Now it has just enough compute power to run the APIC-EM (2x 3Ghz CPUs and 64GB RAM).

Now on with the job:

After configuring a very long lab I finally got the APIC-EM path tracing working.
 On router 4 I configured an ACL blocking all trafic to PC3:
 interface Ethernet0/1
 ip address
 ip access-group 100 out
 ! snip
 access-list 100 deny ip any host

I confirmed first the ACL worked (here are some wireshark packet captures):

Then ran the APIC-EM Path Trace Tool:


The APIC-EM confirms that the ACL list is in place.

2 thoughts on “6.4 Verify ACLs using the APIC-EM Path Trace ACL analysis tool

  1. Thanks for the post. Was curious to know how this tool is used to verify ACLs. Seems like a lot of work for little to no recognition, so I just wanted to drop a post to say thank you.


    1. Hey mate it can verify ACLs but it feels like a gimmick. Took me several days to finally get it working. The best way is to sign up and use Cisco’s free cloud based simulator to run the software. I couldn’t get it to run on my own hardware well.

      As for how it works – I think it just pulls the configs from the routers and analyses them…. nothing flash


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s