Understanding Access Control Entry

Access control entries (ACE) are defined in hardware for access list entries. An access list can be made up of one or more ACEs defined in the hardware. For each access list defined, each ACE is appended directly unless a line number is specified. The order of ACE is very important. When a packet arrives, the FWSM checks the packet against each ACE order to determine whether the packet can pass through. In the beginning of the order, if deny all is configured, all the packets will be denied regardless of the security policy.

Table 8-1 documents the rules for FWSM in the 3.x code release.

Table 8-1 Rules Allocation per Feature for Single and Multiple Context Modes

Table 8-1 documents the rules for FWSM in the 3.x code release.

Table 8-1 Rules Allocation per Feature for Single and Multiple Context Modes

Rules

Single Context Mode

Multiple Context Mode

(Max Per Partition) with 12 Pools

AAA rules

6451

992

ACEs

74,188

10,633

established commands

460

70

Filter rules

2764

425

ICMP, Telnet, SSH1, and HTTP rules

1843

283

Policy NAT ACEs

1843

283

Inspect rules

4147

1417

Total rules

92,156

14,173

*SSH = Secure Shell

*SSH = Secure Shell

In the FWSM, if a resource limitation exists with the number of ACEs and you need to add additional ACEs, the additional ACE will destroy the existing ACE structure. The complete ACE structure will be removed if you add any additional ACE after resource capacity for the rules is reached. For more information about the resource tuning in the firewall, see Chapter 5, "Understanding Contexts."

Some quick commands to check the rules used in the FWSM are as follows:

• In single context mode or within a context, enter the following command: hostname(config)# show np 3 acl count 0

• In multiple context mode system execution space, enter the following command:

hostname(config)# show np 3 acl count partition_number

These two commands are helpful in understanding the resource utilization for the FWSM. It is important to understand the resource utilization because this helps in planning for future resource allotment for new rule sets. Refer to Chapter 5 for more details in resource planning.

Was this article helpful?

0 0

Post a comment