Documentation forNetwork Configuration Manager

Overlapping ACL rules

Cisco ASA and Nexus devices evaluate rules in order, from top to bottom. Overlapping rules occur when some or all of the traffic that would have been processed by one rule has already been processed by a previous rule. When you view ACL rules for a Cisco ASA or Nexus device, SolarWinds NCM displays a warning icon to identify overlapping rules.

Finding and eliminating overlapping rules reduces the size of the rule set, making it easier to manage, and also helps you ensure that the rules achieve the intended results.

NCM detects four types of overlapping rules on Cisco ASA and Nexus devices:

When detecting overlapping rules, NCM supports both contiguous and discontiguous masks.

Fully shadowed rules

A fully shadowed rule is detected when:

  • The criteria for one rule matches all of the traffic covered by a second rule.
  • The two rules apply different actions.

The second rule is fully shadowed by the first. The rules conflict, but the shadowed rule is never applied to any traffic because it comes later in the access list. For example:

Partially shadowed rules

A partially shadowed rule is detected when:

  • The criteria for one rule matches some of the traffic covered by a second rule.
  • The two rules apply different actions.

The second rule is partially shadowed by the first. It is applied to only some of the intended traffic. For example:

In some cases, a partially shadowed rule might be intentional. For example, you might want to permit traffic from specific IP addresses, but deny all others.

Fully redundant rules

A fully redundant rule is detected when:

  • The criteria for one rule matches all of the traffic covered by a second rule.
  • The two rules apply the same action.

The second rule is fully redundant because of the first. It is never applied to any traffic. For example:

Partially redundant rules

A partially redundant rule is detected when:

  • The criteria for one rule matches some of the traffic covered by a second rule.
  • The two rules apply the same action.

The second rule is partially redundant because of the first. It is applied to only some of the intended traffic. For example: