Confirming if access-lists are working!

Answered Question
Feb 8th, 2012
User Badges:

hi firends,


i had this small query, i am sure it would be fairly simple for anyone using ACL qute often to advise me.

if we have access-list created but not applied to an interface, and do "sho access-lists", it will still show me hit-counts? this is normal right.

the only thing is that rule is not be actioned.


Example below:

Router#sho access-lists

Extended IP access list 101

    10 permit ip 10.0.0.0 0.0.0.255 any

Extended IP access list 150

    10 permit ip host 10.0.0.160 any (4424 matches)

    20 permit ip host 10.0.0.15 any (3635 matches)

    30 permit ip host 10.0.0.11 any (97680 matches)

    40 permit ip host 10.0.0.10 any (2271613 matches)

    50 permit ip host 10.0.0.251 any (1 match)

    60 permit ip host 10.0.0.171 any (174 matches)

    70 permit ip host 10.0.0.124 any (10084 matches)

    80 permit ip host 10.0.0.183 any (5195 matches)

    90 permit ip host 10.0.0.172 any (34856 matches)

    100 permit ip host 10.0.0.186 any (6623 matches)



Pleae correct me if i am wrong.


Thanks!


Regards.

Correct Answer by ajay chauhan about 5 years 6 months ago

I agree with Ahmad-


You should check if these counters are incresing as i said should not increase if not appilied to interface.

Correct Answer by ahmad82pkn about 5 years 6 months ago

counter in bracket means ACL is Hit for sure.

if its not applied at this time, may be earlier it was applied, Hit counter will remain unless you reboot the firewall or delete/create ACL again.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ajay chauhan Thu, 02/09/2012 - 08:33
User Badges:
  • Silver, 250 points or more

If ACL is not applied to interface it wont increase hit counts.

Mohit Chauhan Thu, 02/09/2012 - 08:57
User Badges:

Hi ajay

So the matches in the bracket in the output above would mean hits right?



Sent from Cisco Technical Support iPhone App

Correct Answer
ahmad82pkn Thu, 02/09/2012 - 11:01
User Badges:

counter in bracket means ACL is Hit for sure.

if its not applied at this time, may be earlier it was applied, Hit counter will remain unless you reboot the firewall or delete/create ACL again.

Correct Answer
ajay chauhan Thu, 02/09/2012 - 11:15
User Badges:
  • Silver, 250 points or more

I agree with Ahmad-


You should check if these counters are incresing as i said should not increase if not appilied to interface.

Mohit Chauhan Sun, 02/12/2012 - 23:11
User Badges:

Thanks guys, it was indeed a good help. There was no access-list applied to any interface, it was just used for NAT. Stupid me i didnt notice that.

Cheers!

Actions

This Discussion