In a conventional network, when packets are dropped somewhere in the network due to an access list denial, it may be difficult to discover a particular router blocking the packets. In addition, it may be difficult to determine an access control list (ACL) number and/or a match statement in the ACL that blocked the packets. Accordingly, ACL management can become a relatively costly task for system administrators.
Conventional options for handling packets that are dropped in a network can include: (i) a remote ping to confirm whether the packets are blocked or not; (ii) a telnet in the source router, and use of ping/trace route utilities to return an intermediate router blocking the packet, but not the ACL identification and the match statement; (iii) an Internet protocol (IP) service level agreement (SLA) operation (e.g., user datagram protocol (UDP)) that may return the router blocking the packets, but not the ACL identification or the match statement; and (iv) use of an ACL management information base (MIB), which may not return an exact match statement unless ACL logic can be built into the network management system (NMS).