Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

interface ACL counters


Newbie here... 2 questions:

1. Say you do "sh access-list 109", and see something like this:

..permit tcp any any established

..permit udp any any eq bootps (116125 matches)

..permit icmp any any (782 matches)

..permit udp eq domain

..permit tcp eq domain

..deny ip any (594854 matches)

..permit ip any (4623174 matches)

Would you want to re-enter the access list entries in descending count order? Or maybe not. I see that sorting this list in descending count order produces this:

..access-list 109 deny ip any

..access-list 109 permit udp any any eq bootps

This order prevents some hits on the 2nd entry that were permitted in the original order... Right?

Would you remove the entries that are getting zero hits?

2. There's an implicit deny at the end of an access list. But, if you included an explicit, "deny ip any any" as your last statement, wouldn't that help by letting you get a count of traffic that got that far?

Generally speaking, while I get rules of ACLs conceptually speaking, I have no actual experience. I'm looking for ways to understand the effects of changes, and to evaluate if ACLs have unnecessary entries, or even contradictory entries...


Hall of Fame Super Silver

Re: interface ACL counters


You are asking a good question about a topic that is quite complex and subtle. There are several things that one must be thinking about when you start to optimize an access list. I believe that two of these are:

1) is the access list achieving the intended result? is the right traffic being permitted and the right traffic being denied. To achieve this I usually advocate arranging the access list from most specific to more general (permit or deny hosts, then permit or deny subnets, then permit or deny networks, then permit or deny any). I believe this has the best chance of achieving correct behavior.

2) is the access list as efficient as possible? To achieve this one would want the access list entries with the most hits to come earliest in the access list. But the danger of this is that you may get the results that you point out where you deny any packet with source address in network 10 before you permit udp bootps from anywhere. As you point out the result is that no one in network 10 can do bootps.

So you need to thing carefully as you start to optimize the access list that you do not compromise its functionality.

Your second point is about specifically coding deny any any at the end of the access list. As you point out one benefit of this is that you would then get packet counts of what is falling through. And knowing this can be useful in some circumstances. Many of us do typically code access lists that way. But others do not code the deny any any because it is not needed and they want to minimize the lines in the access list. I do not believe that there is any clear cut answer about which is better.



CreatePlease login to create content