6.4 Verify ACLs using the APIC-EM Path Trace ACL analysis tool

This simple little section took me over 3 weeks to finally complete. Now I wasn’t studying for those whole weeks just failing to get this APIC-EM to boot/install.
I eventually had to upgrade my $180 server to a $380 server by buying more RAM ($120 and two cpus $80).
Now it has just enough compute power to run the APIC-EM (2x 3Ghz CPUs and 64GB RAM).
Now on with the job:

After configuring a very long lab I finally got the APIC-EM path tracing working.
 On router 4 I configured an ACL blocking all trafic to PC3:
 interface Ethernet0/1
 ip address
 ip access-group 100 out
 ! snip
 access-list 100 deny ip any host

I confirmed first the ACL worked (here are some wireshark packet captures):
Then ran the APIC-EM Path Trace Tool:
The APIC-EM confirms that the ACL list is in place.

Join the Conversation


  1. Thanks for the post. Was curious to know how this tool is used to verify ACLs. Seems like a lot of work for little to no recognition, so I just wanted to drop a post to say thank you.

    1. Hey mate it can verify ACLs but it feels like a gimmick. Took me several days to finally get it working. The best way is to sign up and use Cisco’s free cloud based simulator to run the software. I couldn’t get it to run on my own hardware well.
      As for how it works – I think it just pulls the configs from the routers and analyses them…. nothing flash

Leave a comment

Your email address will not be published. Required fields are marked *