ACL Hits

nishanthjavvadi1 · ‎11-04-2013

hi i have a question this acl is accessed by only 172.18.0.0 subnet so i created another acl placed at the bottom of this acl.

any 10.114.172.10 ip permit

172.180.0.0 10.114.172.10 ip permit

The above acl is getting hits but the second one is not getting hits. I have enabled both rules. do i need 2 change order or disable the 1st rule please give your suggestions.

Jouni Forss · ‎11-04-2013

Hi,

Is this some ACL on a router or a firewall?

Is there a typo in the network/IP in the ACL? Post says 172.18.0.0 and the ACL 172.180.0.0?

I would presume that since your first rule specifies "any" as the source address it then matches all the connections from the 172.18.0.0/xx (or 172.180.0.0) subnet and because of this the new rule below it doesnt get any hitcounts. That is if you are lookking for ACL hits towards 10.114.172.10

First thing would be to determine if there is a typo in the ACL and after that insert the rule with the correct subnet at the top. Then again the only affect this would have is that you would see the hitcounts from this certain source network while nothing else would change with regards to the ACL behaviour.

- Jouni

Marius Gunnerud · ‎11-04-2013

I agree with Jouni. The first entry matches any source destined for the address 10.114.172.10. So technically you would not need the second command.

If you want to see matches on the 172.180.0.0 10.114.172.10 ip permit statement then that needs to be placed above the first rule.

--
Please remember to select a correct answer and rate helpful posts