Cisco 7604 Configuration Guide - Page 246
Configuring Access List Group Optimization
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 246 highlights
Access List Group Optimization Chapter 13 Identifying Traffic with Access Lists access-list test extended deny tcp any any range 80 130 log disable [rule y] • Logging syslog levels / time-range / inactive-Any rule with a log level, time-range or inactive defined cannot be merged with any other rules. It can also act as a blocking rule. Before optimization: access-list test extended permit tcp any any range 50 100 [rule x] access-list test extended permit tcp any any range 80 130 log critical [rule y] access-list test extended permit tcp any any range 60 120 [rule z] After optimization: access-list test extended permit tcp any any range 50 100 [rule x] access-list test extended permit tcp any any range 80 130 log critical [rule y] access-list test extended permit tcp any any range 60 120 [rule z] Note Access list optimization is relevant to static extended access lists only. Dynamic access lists are not optimized. In addition, when an access list is bound to AAA, policy NAT, and fixup modules, two copies of the rules will coexist in the system. An optimized copy that would be used in case the access list is attached to an access group and the original non-optimized copy used for AAA, policy NAT and fixups. Configuring Access List Group Optimization To configure access list group optimization, perform the following steps: Step 1 Step 2 Step 3 To enable access list group optimization, use the following command: hostname(config)# access-list optimization enable To disable access list group optimization, use the no form of the command. To show the optimized access list information, use the following command: hostname(config)# show access-list [id] [optimization [detail] [range low high]] The argument id identifies the specific access list. The detail keyword shows the optimization detail information. The range keyword lets you specify a specific low and high access list range arguments. To copy the optimized running configuration to a designated location, use the following command: hostname(config)# copy optimized-running-config [url | running-config | startup-config | system] The argument url specifies the source or destination file to be copied (disk:, ftp:, or tftp:). Note The copy optimized-running-config command overwrites the running configuration, and if you save the configuration, the object-group access list lines may be lost from the running config. Since optimized configurations usually contain more regular ACEs than object-group ACEs, this operation can increase the running configuration size. With a large number of access lists in a configuration, this operation can cause large configuration files that are over 3 MB in size. Therefore, use this command when you are sure that you will not exceed the start-up configuration size limit. The following is an example of an optimized access list configuration. 13-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01