Submit a ticketCall us

AnnouncementsChange Is Inevitable

Get valuable help when it comes to tracking and monitoring changes. SolarWinds® Server Configuration Monitor (SCM) is designed to help you: detect, track, and receive alerts when changes occur, correlate system performance against configuration changes, compare server and application configuration against custom baselines, and verify application and system changes.

Learn more.

Home > Success Center > Network Configuration Manager (NCM) > NCM Documentation > NCM 7.8 Administrator Guide > Manage access control lists > Overlapping ACL rules

Overlapping ACL rules

Created by Melanie Boyd, last modified by Melanie Boyd on Sep 26, 2017

Views: 335 Votes: 0 Revisions: 1

Updated: May 31, 2018

Cisco ASA and Nexus devices evaluate rules in order, from top to bottom. Overlapping rules occur when some or all of the traffic that would have been processed by one rule has already been processed by a previous rule. When you view ACL rules for a Cisco ASA or Nexus device, SolarWinds NCM displays a warning icon to identify overlapping rules.

Finding and eliminating overlapping rules reduces the size of the rule set, making it easier to manage, and also helps you ensure that the rules achieve the intended results.

NCM detects four types of overlapping rules on Cisco ASA and Nexus devices:

When detecting overlapping rules, NCM supports both contiguous and discontiguous masks.

Fully shadowed rules

A fully shadowed rule is detected when:

  • The criteria for one rule matches all of the traffic covered by a second rule.
  • The two rules apply different actions.

The second rule is fully shadowed by the first. The rules conflict, but the shadowed rule is never applied to any traffic because it comes later in the access list. For example:

FullyShadowedRule.png

Partially shadowed rules

A partially shadowed rule is detected when:

  • The criteria for one rule matches some of the traffic covered by a second rule.
  • The two rules apply different actions.

The second rule is partially shadowed by the first. It is applied to only some of the intended traffic. For example:

PartiallyShadowedRule.png

In some cases, a partially shadowed rule might be intentional. For example, you might want to permit traffic from specific IP addresses, but deny all others.

Fully redundant rules

A fully redundant rule is detected when:

  • The criteria for one rule matches all of the traffic covered by a second rule.
  • The two rules apply the same action.

The second rule is fully redundant because of the first. It is never applied to any traffic. For example:

FullyRedundantRule.png

Partially redundant rules

A partially redundant rule is detected when:

  • The criteria for one rule matches some of the traffic covered by a second rule.
  • The two rules apply the same action.

The second rule is partially redundant because of the first. It is applied to only some of the intended traffic. For example:

PartiallyRedundantRule.png

 

Last modified

Tags

Classifications

Public