09-22-2015 01:29 AM - edited 03-11-2019 11:37 PM
Hi Guys
I want to clear unused acl rules using hit counts to identify what acls are in use. The problem is when I do show access-list any acl using an object group splits into several lines, showing an acl for each member of the group with the same line number. Thats all fine but the hit counts show 0. does that mean the acl is not used or is a feature fault?
thanks
Solved! Go to Solution.
09-22-2015 06:20 AM
hi,
yes, the ACL is NOT used when hit count is 0.
i believe you can get a hit or increment it if you perform a packet tracer.
09-22-2015 06:25 AM
Hi Michael,
My guess is that you are working on an ASA, if so it's ok that it splits into several lines since it depends on what you have on the object-groups, for instance if it has several subnets then it needs to shows a line for each subnet and if all show 0 then that means no traffic has hit that rule.
Best Regards,
09-22-2015 06:20 AM
hi,
yes, the ACL is NOT used when hit count is 0.
i believe you can get a hit or increment it if you perform a packet tracer.
09-22-2015 06:25 AM
Hi Michael,
My guess is that you are working on an ASA, if so it's ok that it splits into several lines since it depends on what you have on the object-groups, for instance if it has several subnets then it needs to shows a line for each subnet and if all show 0 then that means no traffic has hit that rule.
Best Regards,
09-22-2015 06:47 AM
Thanks guys.
Yes it is an ASA. I understand why it splits the acl, just didnt know why there were no hits.
I tried a packet tracer and could see it increment the hits on the acl.
thanks for clearing that up for me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: