Filter
Top Products
11-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 11 Configuring Security Manager Administrative Settings
Deployment Page
Enable ACL Sharing for
Firewall Rules
(IPv4 and IPv6 access rules.)
Whether Security Manager should share a single access control list
(ACL) for an access rule policy with more than one interface. If you do
not select this option, Security Manager creates unique ACLs for every
interface to which you apply an IPv4 or IPv6 access rule policy. The
sharing of ACLs is done only for ACLs created by access rule policies.
If you select this option, Security Manager evaluates the access rules
policy for each interface and deploys the minimum number required to
implement your policy while preserving your ACL naming
requirements. For example, if you use an interface role to assign the
same rules to four interfaces, you specify Reset to CS-Manager
generated names for the Firewall Access-List Names property, and
you do not specify ACL names for the interfaces in the access control
settings policy, only a single ACL is deployed, and each interface uses
that ACL.
If you select this option, keep the following in mind:
• An interface might use an ACL that is named for a different
interface.
• If you specify a name for the ACL in the access control settings
policy, an ACL by that name is created even if it is otherwise
identical to one used by another interface. Names specified in this
policy have precedence over any other settings.
• If you select Reuse existing names for the Firewall Access-List
Names property, the existing names are preserved (unless you
override them in the access control settings policy). This means
that you might end up with duplicate ACLs under different names
if duplicate ACLs already exist on the device.
• Hit count statistics are based on ACL, not on interface, so a shared
ACL provides statistics that are combined from all interfaces that
share the ACL.
• Sharing ACLs is primarily beneficial for memory-constrained
devices such as the FWSM.
Let FWSM Decide When to
Compile Access Lists
(IPv4 access rules only.)
Whether to have the Firewall Services Module (FWSM) automatically
determine when to compile access lists. Selecting this option might
increase deployment speed but traffic might be disrupted and the
system might become incapable of reporting ACL compilation error
messages. If you select this option, you can use the Optimize the
Deployment of Access Rules For Traffic setting to mitigate potential
traffic disruptions.
When deselected, Security Manager controls ACL compilation to avoid
traffic interruption and to minimize peak memory usage on the device.
Caution You should not select this option unless you are experiencing
deployment problems and you are an advanced user.
Table 11-8 Deployment Page (Continued)
Element Description