Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Network Configuration Manager (NCM) > NCM 7.7 Administrator Guide > Cisco ASA ACL rules > Overlapping ACL rules

Overlapping ACL rules

Created by Melanie Boyd, last modified by Melanie Boyd on Sep 26, 2017

Views: 39 Votes: 0 Revisions: 1

Cisco ASAs evaluate rules in order, from top to bottom. Overlapping rules occur when some or all of the traffic that would have been processed by one rule has already been processed by a previous rule. When you view ACL rules for a Cisco ASA firewall, SolarWinds NCM displays a warning icon icon_warn.png to identify overlapping rules.

Finding and eliminating overlapping rules reduces the size of the rule set, making it easier to manage, and also helps you ensure that the rules achieve the intended results.

NCM detects four types of overlapping rules:

Fully shadowed rules

A fully shadowed rule is detected when:

  • The criteria for one rule matches all of the traffic covered by a second rule.
  • The two rules apply different actions.

The second rule is fully shadowed by the first. The rules conflict, but the shadowed rule is never applied to any traffic because it comes later in the access list. For example:

FullyShadowedRule.png

Partially shadowed rules

A partially shadowed rule is detected when:

  • The criteria for one rule matches some of the traffic covered by a second rule.
  • The two rules apply different actions.

The second rule is partially shadowed by the first. It is applied to only some of the intended traffic. For example:

PartiallyShadowedRule.png

In some cases, a partially shadowed rule might be intentional. For example, you might want to permit traffic from specific IP addresses, but deny all others.

Fully redundant rules

A fully redundant rule is detected when:

  • The criteria for one rule matches all of the traffic covered by a second rule.
  • The two rules apply the same action.

The second rule is fully redundant because of the first. It is never applied to any traffic. For example:

FullyRedundantRule.png

Partially redundant rules

A partially redundant rule is detected when:

  • The criteria for one rule matches some of the traffic covered by a second rule.
  • The two rules apply the same action.

The second rule is partially redundant because of the first. It is applied to only some of the intended traffic. For example:

PartiallyRedundantRule.png

 

Last modified

Tags

Classifications

Public