16-43
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter16 Managing Firewall Access Rules
Optimizing Access Rules Automatically During Deployment
remark Do not allow Smith workstation through
deny 172.16.3.13
This example creates two rules, converting the standard rules to extended rules (to any destination). The
remarks are saved in the description field.
For more examples of ACLs in command language format, see the following:
IOS
Devices—http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_create_I
P_apply.html#wp1027258.
ASA
Devices—http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_extended.
html.
Optimizing Access Rules Automatically During Deployment
You can configure the system to optimize the access control lists (ACLs) that are created from your
access rules policies when they are deployed to specific devices or to all devices. This optimization
affects only the deployed policies, it does not make any changes to your access rules policy.
Note Optimization is not supported for ASA 9.x devices
Optimization removes redundancies and conflicts and can combine multiple entries (ACEs) into single
entries. Although the order of entries might change, the semantics of your policies are preserved; the
optimized ACL accepts or denies the same set of packets as did its unoptimized form. Following are the
basic cases where changes are made:
Ineffective ACE—Where one entry is a subset of, or equal to, another entry, the ineffective ACE is
removed. Consider the following example:
access-list acl_mdc_inside_access deny ip host 10.2.1.1 any
access-list acl_mdc_inside_access deny ip 10.2.1.0 255.255.255.0 any
The first ACE is actually a subset of the second ACE. ACL optimization will deploy only the second
entry.
Superset ACE—Where one entry is a superset of another and the order of the rules does not matter,
the redundant rule is removed. Consider the following example:
access-list acl_mdc_inside_access permit tcp any any range 110 120
access-list acl_mdc_inside_access deny tcp any any range 115
The second ACE will never be hit. ACL optimization will remove the second ACE and deploy only
the first one.