10-7
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Access Control List Overview
Large ACLs of approximately 60K ACEs can take 3 to 4 minutes to commit, depending on the size.
To manually commit ACLs, see the “Manually Committing Access Control Lists and Rules” section on
page 10-24.
For information about exceeding memory limits, see the “Maximum Number of ACEs” section.
Maximum Number of ACEs
The FWSM supports a maximum of 80K rules for the entire system in single mode, and 142K rules for
multiple mode. Rules include ACEs, ACEs used for policy NAT, filters, AAA, ICMP, Telnet, SSH,
HTTP, and established rules. See the “Rule Limits” section on page A-5 for the limits for each rule type.
Some ACLs use more memory than others, and these include ACLs that use large port number ranges or
overlapping networks (for example one ACE specifies 10.0.0.0/8 and another specifies 10.1.1.0/24).
Depending on the type of ACL, the actual limit the system can support will be less than 80K
(single mode) or 142K (multiple mode).
If you use object groups in ACEs, the number of actual ACEs that you enter is fewer, but the number of
expanded ACEs is the same as without object groups, and expanded ACEs count towards the system
limit. To view the number of expanded ACEs in an ACL, enter the show access-list acl_name command.
When you add an ACE, and the FWSM compiles the ACL, the console displays the memory used in a
message similar to the following:
Access Rules Download Complete: Memory Utilization: < 1%
If you exceed the memory limitations, you receive an error message and a system message (106024), and
all the ACLs that were added in this compilation are removed from the configuration. Only the set of
ACLs that were successfully committed in the previous commitment are used. For example, if you paste
1,000 ACEs at the prompt, and the last ACE exceeds the memory limitations, all 1,000 ACEs are
rejected.
IP Addresses Used for Access Control Lists When You Use NAT
When you use NAT, the IP addresses you specify for an ACL depend on the interface to which the ACL
is attached; you need to use addresses that are valid on the network connected to the interface. This
guideline applies for both inbound and outbound ACLs: the direction does not determine the address
used, only the interface does.
To Next Page
Loading...
Need help?
General