02-08-2012 08:52 PM - edited 03-11-2019 03:26 PM
hi firends,
i had this small query, i am sure it would be fairly simple for anyone using ACL qute often to advise me.
if we have access-list created but not applied to an interface, and do "sho access-lists", it will still show me hit-counts? this is normal right.
the only thing is that rule is not be actioned.
Example below:
Router#sho access-lists
Extended IP access list 101
10 permit ip 10.0.0.0 0.0.0.255 any
Extended IP access list 150
10 permit ip host 10.0.0.160 any (4424 matches)
20 permit ip host 10.0.0.15 any (3635 matches)
30 permit ip host 10.0.0.11 any (97680 matches)
40 permit ip host 10.0.0.10 any (2271613 matches)
50 permit ip host 10.0.0.251 any (1 match)
60 permit ip host 10.0.0.171 any (174 matches)
70 permit ip host 10.0.0.124 any (10084 matches)
80 permit ip host 10.0.0.183 any (5195 matches)
90 permit ip host 10.0.0.172 any (34856 matches)
100 permit ip host 10.0.0.186 any (6623 matches)
Pleae correct me if i am wrong.
Thanks!
Regards.
Solved! Go to Solution.
02-09-2012 11:01 AM
counter in bracket means ACL is Hit for sure.
if its not applied at this time, may be earlier it was applied, Hit counter will remain unless you reboot the firewall or delete/create ACL again.
02-09-2012 11:15 AM
I agree with Ahmad-
You should check if these counters are incresing as i said should not increase if not appilied to interface.
02-09-2012 08:33 AM
If ACL is not applied to interface it wont increase hit counts.
02-09-2012 08:57 AM
Hi ajay
So the matches in the bracket in the output above would mean hits right?
Sent from Cisco Technical Support iPhone App
02-09-2012 11:01 AM
counter in bracket means ACL is Hit for sure.
if its not applied at this time, may be earlier it was applied, Hit counter will remain unless you reboot the firewall or delete/create ACL again.
02-09-2012 11:15 AM
I agree with Ahmad-
You should check if these counters are incresing as i said should not increase if not appilied to interface.
02-12-2012 11:11 PM
Thanks guys, it was indeed a good help. There was no access-list applied to any interface, it was just used for NAT. Stupid me i didnt notice that.
Cheers!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: