Cisco 7604 Configuration Guide - Page 247
optimization process is complete., During that processing time
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 247 highlights
Chapter 13 Identifying Traffic with Access Lists Access List Group Optimization Show the original access list configuration: hostname(config)# sh access-list test access-list test; 13 elements access-list test line 1 extended permit tcp host 10.1.1.6 host 10.1.1.20 eq www (hitcnt=0) 0x1d3335f6 access-list test line 2 extended permit tcp any host 10.1.1.90 eq ssh (hitcnt=0) 0x9f0b14e0 access-list test line 3 extended permit tcp any host 10.1.1.90 eq ftp (hitcnt=0) 0x7d023e5f access-list test line 4 extended permit tcp any object-group dns-servers eq domain 0xb4b0751d access-list test line 4 extended permit tcp any host 10.10.10.5 eq domain (hitcnt=0) 0x9664696e access-list test line 4 extended permit tcp any host 10.10.10.6 eq domain (hitcnt=0) 0xde9a7aec access-list test line 4 extended permit tcp any host 10.10.10.7 eq domain (hitcnt=0) 0x5847c29a access-list test line 4 extended permit tcp any host 10.10.10.8 eq domain (hitcnt=0) 0xa4246eba access-list test line 4 extended permit tcp any host 10.10.10.9 eq domain (hitcnt=0) 0x85fc0e4a access-list test line 5 extended permit udp any any eq domain (hitcnt=0) 0xbaf2384c access-list test line 6 extended permit tcp 10.1.1.0 255.255.255.0 any (hitcnt=0) 0xd07a176b access-list test line 7 extended permit icmp any any (hitcnt=0) 0xb422e9c2 access-list test line 8 extended permit udp any any neq domain (hitcnt=0) 0x8e2ee97e access-list test line 9 extended permit tcp any host 10.10.10.5 (hitcnt=0) 0xaa819def Enable access list group optimization: hostname(config)# access-list optimization enable ACL group optimization is enabled hostname(config)# Access Lists Optimization Complete Access Rules Download Complete: Memory Utilization: < 1% Note When optimization is enabled, rules are optimized and downloaded in the NPs. The original non-optimized rules become inactive. Any addition/deletion of any rule must take place on the original non-optimized access lists. Whenever a new rule is added/deleted, the optimization process is repeated and the message "Access Lists Optimization Complete" defines the end of the optimization process. During that processing time, some of the access lists information may not be accurate until the optimization process is complete. Show the non-optimized (original) access list again: hostname(config)# show access-list test access-list test; 13 elements access-list test line 1 extended permit tcp host 10.1.1.6 host 10.1.1.20 eq www (hitcnt=*) 0x1d3335f6 access-list test line 2 extended permit tcp any host 10.1.1.90 eq ssh (hitcnt=*) 0x9f0b14e0 access-list test line 3 extended permit tcp any host 10.1.1.90 eq ftp (hitcnt=*) 0x7d023e5f access-list test line 4 extended permit tcp any object-group dns-servers eq domain 0xb4b0751d access-list test line 4 extended permit tcp any host 10.10.10.5 eq domain (hitcnt=*) 0x9664696e access-list test line 4 extended permit tcp any host 10.10.10.6 eq domain (hitcnt=*) 0xde9a7aec access-list test line 4 extended permit tcp any host 10.10.10.7 eq domain (hitcnt=*) 0x5847c29a access-list test line 4 extended permit tcp any host 10.10.10.8 eq domain (hitcnt=*) 0xa4246eba access-list test line 4 extended permit tcp any host 10.10.10.9 eq domain (hitcnt=*) 0x85fc0e4a access-list test line 5 extended permit udp any any eq domain (hitcnt=*) 0xbaf2384c access-list test line 6 extended permit tcp 10.1.1.0 255.255.255.0 any (hitcnt=0) 0xd07a176b access-list test line 7 extended permit icmp any any (hitcnt=0) 0xb422e9c2 access-list test line 8 extended permit udp any any neq domain (hitcnt=*) 0x8e2ee97e access-list test line 9 extended permit tcp any host 10.10.10.5 (hitcnt=0) 0xaa819def Note Some hit count values are represented with an asterisk '*'. An asterisk means that the rule has been merged with other rules and thus the hit count cannot be accurate. Hit counts for optimized rules represent the cumulative value of all of the hit counts of the merged or removed rules. There is no way to determine the hit count for every merged or removed rule. Show the optimized access list: hostname(config)# show access-list test optimization access-list test; 13 elements before optimization 7 elements after optimization Reduction rate = 46% OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-21