Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1515
Views
0
Helpful
19
Replies

acl-name in access-list requirements

suwaisfa_Sec
Level 1
Level 1

‎03-28-2015 10:54 AM - edited ‎03-11-2019 10:42 PM

Hi,

I would ask about the acl-name in access-list,
Does it act as a link between the ACL and an interface?
or it could be written as any-thing, without any constrains?

such as
access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh

is it OK?
or test_ACL should be defined somewhere prior using it in ACL?

Labels:
0 Helpful
19 Replies 19

Marius Gunnerud
VIP
VIP
In response to suwaisfa_Sec

‎04-03-2015 01:39 PM

You should be able to see hits on the ACL if it is in use.

You could run the command show run | in <ACL name>

If it shows up in more places than in the ACL configuration then it is in use elsewhere.  If it is just showing up in the ACL config then it should be safe to remove.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

suwaisfa_Sec
Level 1
Level 1
In response to Marius Gunnerud

‎04-11-2015 03:41 PM

Hi

I ran the command

show run | in inside_access_in

 

and all it show was ACL lines and no others

 

to check more, is there a way to check if there are any hits on it?

0 Helpful

Marius Gunnerud
VIP
VIP
In response to suwaisfa_Sec

‎04-13-2015 01:26 AM

just issue the command show access-list <access-list name>

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

suwaisfa_Sec
Level 1
Level 1
In response to Marius Gunnerud

‎04-14-2015 11:02 AM

hi

I checked another ACL, which has class-map defined
and first command resulted as

Merit-FWSM/450# show run | in INC00167377
access-list INC00167377 extended permit tcp host 10.61.194.16 host 10.164.239.129 eq ssh
class-map INC00167377
match access-list INC00167377
class INC00167377
Merit-FWSM/450#

where the ACL hits as
access-list    No    INC00167377;    1    elements                                            
access-list    No    INC00167377    line    1    extended    permit    tcp    host    10.61.194.16    host    10.164.239.129    eq    ssh    (hitcnt=0)    0xa00df9bf

ok, now, we know its not used,
so, could we consider it a generic rule, as any ACL, to be active ACL, it needs to be attached to pre-defined interface?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to suwaisfa_Sec

‎04-14-2015 11:09 AM

as any ACL, to be active ACL, it needs to be attached to pre-defined interface?

This has already been answered and you are asking the same question again.

An acl does not need to be attached to an interface to be active as Marius said quite a few posts back because acls are not used just for controlling traffic between interfaces.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card