Access List Group Optimization
•
Note
Access list optimization is relevant to static extended access lists only. Dynamic access lists are not
optimized. In addition, when an access list is bound to AAA, policy NAT, and fixup modules, two copies
of the rules will coexist in the system. An optimized copy that would be used in case the access list is
attached to an access group and the original non-optimized copy used for AAA, policy NAT and fixups.
Configuring Access List Group Optimization
To configure access list group optimization, perform the following steps:
To enable access list group optimization, use the following command:
Step 1
hostname(config)# access-list optimization enable
To disable access list group optimization, use the no form of the command.
To show the optimized access list information, use the following command:
Step 2
hostname(config)# show access-list [id] [optimization [detail] [range low high]]
The argument id identifies the specific access list. The detail keyword shows the optimization detail
information. The range keyword lets you specify a specific low and high access list range arguments.
To copy the optimized running configuration to a designated location, use the following command:
Step 3
hostname(config)# copy optimized-running-config [url | running-config | startup-config |
system]
The argument url specifies the source or destination file to be copied (disk:, ftp:, or tftp:).
The copy optimized-running-config command overwrites the running configuration, and if you save
Note
the configuration, the object-group access list lines may be lost from the running config. Since optimized
configurations usually contain more regular ACEs than object-group ACEs, this operation can increase
the running configuration size. With a large number of access lists in a configuration, this operation can
cause large configuration files that are over 3 MB in size. Therefore, use this command when you are
sure that you will not exceed the start-up configuration size limit.
The following is an example of an optimized access list configuration.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
13-20
access-list test extended deny tcp any any range 80 130 log disable [rule y]
Logging syslog levels / time-range / inactive—Any rule with a log level, time-range or inactive
defined cannot be merged with any other rules. It can also act as a blocking rule.
Before optimization:
access-list test extended permit tcp any any range 50 100 [rule x]
access-list test extended permit tcp any any range 80 130 log critical [rule y]
access-list test extended permit tcp any any range 60 120 [rule z]
After optimization:
access-list test extended permit tcp any any range 50 100 [rule x]
access-list test extended permit tcp any any range 80 130 log critical [rule y]
access-list test extended permit tcp any any range 60 120 [rule z]
Chapter 13
Identifying Traffic with Access Lists
OL-20748-01