5-17
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 5 Managing Security Contexts
Configuring Resource Management
ACL Memory Partitions Overview
With ACL memory partitions, you can maximize the available ACL memory in the network processor
when you create security contexts. The default ACL memory is divided into 12 partitions and an
additional backup partition. In addition to these partitions, there is one partition and a backup partition
for downloadable ACLs. The default behavior is that when you create a security context, it is associated
with an ACL partition chosen in a round-robin fashion. All of the access lists created in the context get
programmed into the associated partition. This behavior results in an inefficient allocation of available
ACL memory. The default ACL memory allocation scheme results in the following inefficiencies:
• Fewer contexts than the default number of partitions
–
When you have fewer contexts than partitions, some partitions are never used. The result is that
there is less usable memory than available memory.
• More contexts than the default number of partitions
–
If the number of contexts is more than the number of partitions, configuration changes made by
one user can impact other users because they share the resource.
• No guaranteed resources for business class customers
–
All users or customers were treated equally with no way to prioritize them.
Configuring ACL Memory Partitions
Beginning with FWSM software release 2.3, you can configure the number of partitions to maximize
ACL memory usage. This feature allows you to eliminate the inefficiencies of the default ACL memory
allocation scheme.
There are two parts to configuring ACL memory partitions: partitioning the ACL memory using the
resource acl-partition command and mapping a context to a partition using the allocate-acl-partition
command.
To partition the ACL memory, enter this command:
fwsm(config)# resource acl-partition
number-of-partitions
The no form of this command will cause ACL memory to be partitioned into the default number of
partitions (12).
The following caveats apply to this command:
• You must reboot the module before the changes will take place. In a failover set up, you must reboot
both of the modules at the same time. Rebooting both modules at the same time will result in
network downtime.
• The resource acl-partition <X> command will not take effect until you enter a write mem
command and reboot the module.
• If you are using a failover configuration, you must use these recommended command sequences:
On the active module, use this sequence:
resource acl-partition
X
write mem
reload
On the redundant module, use this sequence: reload
To Next Page
Loading...
Need help?
General