Cisco 7604 Configuration Manual page 249
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 13
Identifying Traffic with Access Lists
7 elements after optimization
Reduction rate = 46%
SUBSET rules
ADJACENT rules : 5
access-list test line 6 extended permit tcp 10.1.1.0 255.255.255.0 any (hitcnt=0) 0xd07a176b
access-list test line 7 extended permit icmp any any (hitcnt=0) 0xb422e9c2
access-list test line 8.1 extended permit udp any any lt domain (hitcnt=0) 0x00000000 [Merged to 5:
ADJACENT]
access-list test line 8.2 extended permit udp any any gt domain (hitcnt=0) 0x00000000 [Merged to 5:
ADJACENT]
access-list test line 9 extended permit tcp any host 10.10.10.5 (hitcnt=0) 0xaa819def
Show the currently running optimized access-list
hostname(config)# show running-config access-list test optimization
access-list test extended permit tcp any host 10.1.1.90 range ftp ssh
access-list test extended permit tcp any 10.10.10.6 255.255.255.254 eq domain
access-list test extended permit tcp any 10.10.10.8 255.255.255.254 eq domain
access-list test extended permit udp any any
access-list test extended permit tcp 10.1.1.0 255.255.255.0 any
access-list test extended permit icmp any any
access-list test extended permit tcp any host 10.10.10.5
To replace original access lists with the optimized ones:
hostname(config)# copy optimized-running-config running-config
Destination filename [running-config]?
hostname(config)#
Access Lists Optimization Complete
Access Rules Download Complete: Memory Utilization: < 1%
Having access list optimization enabled at all time could be a waste of computational and memory
Note
resources. If you are satisfied with how the optimized access lists are merged, the original access lists
can be replaced with the optimized ones. Note that this action will wipe out all of the original access
lists. After copying the optimized access lists, the user may want to disable access list optimization
because the newly copied optimized access lists may not be further optimized.
To disable the access list group optimization:
hostname(config)# no access-list optimization enable
Disabling ACL optimization will cause ACL rules get increased.
The non optimized rules might be more than the partition rule max
and might cause memory exhaustion to lose partial or all the
access-list configuration after disabling the optimization.
Please save a copy of your current optimized access-list config
before committing this command.
Continue ? [Y]es/[N]o:
ACL group optimization is disabled
hostname(config)# Access Rules Download Complete: Memory Utilization: < 1%
hostname(config)#
When disabling access list optimization, be aware that the number of the original non-optimized rules
Note
(which is often larger than to the number of optimized rules) may exceed the memory availaible to store
them. This will cause some rules to be deleted. Thus, it is considered a good practice to back up the
original configuration before proceeding with disabling access list group optimization.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
: 2
Access List Group Optimization
[(1)]
[(4.1)]
13-23
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
