I have been tasked with cleaning up a PIX config which has been updated by multiple network admins over a number of years. Am I right in saying that if an access-list is showing a hitcnt of zero that it is not being matched and can be removed from the config. I have a number of outputs of the show access-list command taken over a month or so rather than just a one-off snapshot.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
rationalise access-lists using show access-list hitcnt 1
- Thread starter galloshes
- Start date
-
1
- #2
galloshes, this is correct only if you are certain that a certain traffic pattern should be hitting the device at that point in time if need be. In other words if there are no hit counts there are two reasons in which the acl is not being hit, one, there is not any traffic matching the ace entry due to no traffic matches existing, or that traffic just has not hit the device at this point in time. Chances are if the pix has been up for say.....60+ days, and the acl shows no hit counts, then the ace is not being used and can be removed.
Word of caution, just take the entries you are removing and save them to a separate text file so if you need them for future reference, then simply delete the entries.
Word of caution, just take the entries you are removing and save them to a separate text file so if you need them for future reference, then simply delete the entries.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question