Which utility can you use to identify redundant or shadow rules?

IT Questions BankWhich utility can you use to identify redundant or shadow rules?
Which utility can you use to identify redundant or shadow rules? 1ITExamAnswers Staff asked 6 months ago
Which utility can you use to identify redundant or shadow rules?

  • The ACL trace tool in Cisco APIC-EM.
  • The ACL analysis tool in Cisco APIC-EM.
  • The Cisco APIC-EM automation scheduler.
  • The Cisco IWAN application.

Explanation: Cisco APIC-EM supports the following policy analysis features:

+ Inspection, interrogation, and analysis of network access control policies.
+ Ability to trace application specific paths between end devices to quickly identify ACLs in use and problem areas.
Enables ACL change management with easy identification of conflicts and shadows -> Maybe B is the most suitable answer.

Reference: http://www.cisco.com/c/en/us/td/docs/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/1-2-x/config-guide/b_apic-em_config_guide_v_1-2-x/b_apic-em_config_guide_v_1-2-x_chapter_01000.pdf

The ACL trace tool can only help us to identify Which ACL on Which router is blocking or allowing traffic. It cannot help identify redundant/shadow rules.


Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) is a Cisco Software Defined Networking (SDN) controller, Which uses open APIs for policy-based management and security through a single controller, abstracting the network and making network services simpler. APIC-EM provides centralized automation of policy-based application profiles.

Reference: CCNA Routing and Switching Complete Study Guide

Cisco Intelligent WAN (IWAN) application simplifies the provisioning of IWAN network profiles with simple business policies. The IWAN application defines business-level preferences by application or groups of applications in terms of the preferred path for hybrid WAN links. Doing so improves the application experience over any connection and saves telecom costs by leveraging cheaper WAN links.

Shadow rules are the rules that are never matched (usually because of the first rules). For example two access-list statements:

access-list 100 permit ip any any
access-list 100 deny tcp host A host B

Then the second access-list statement would never be matched because all traffic have been already allowed by the first statement. In this case we call statement 1 shadows statement 2.

More Questions: CCNA v3.0 (200-125) Study Guide – Exam Dumps

Related Articles