11-04-2013 01:02 AM - edited 03-11-2019 07:59 PM
hi i have a question this acl is accessed by only 172.18.0.0 subnet so i created another acl placed at the bottom of this acl.
any 10.114.172.10 ip permit
172.180.0.0 10.114.172.10 ip permit
The above acl is getting hits but the second one is not getting hits. I have enabled both rules. do i need 2 change order or disable the 1st rule please give your suggestions.
11-04-2013 01:08 AM
Hi,
Is this some ACL on a router or a firewall?
Is there a typo in the network/IP in the ACL? Post says 172.18.0.0 and the ACL 172.180.0.0?
I would presume that since your first rule specifies "any" as the source address it then matches all the connections from the 172.18.0.0/xx (or 172.180.0.0) subnet and because of this the new rule below it doesnt get any hitcounts. That is if you are lookking for ACL hits towards 10.114.172.10
First thing would be to determine if there is a typo in the ACL and after that insert the rule with the correct subnet at the top. Then again the only affect this would have is that you would see the hitcounts from this certain source network while nothing else would change with regards to the ACL behaviour.
- Jouni
11-04-2013 01:36 AM
I agree with Jouni. The first entry matches any source destined for the address 10.114.172.10. So technically you would not need the second command.
If you want to see matches on the 172.180.0.0 10.114.172.10 ip permit statement then that needs to be placed above the first rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide