Resource management is one of the most critical aspects to the administration of the FWSM. Although the FWSM is a very high-performance device, it does have a finite limit of resources. As contexts are added, it becomes even more imperative to understand and allocate resource appropriately, or some services may suffer.
Classes are used to specify resource limits. After the limits have been defined, they can then be associated to a context or group of contexts. The FWSM will not prevent you from oversubscribing resources! This can be beneficial if you are providing firewall services for contexts that are not mission critical or where a service level agreement (SLA) does not warrant providing that degree of service.
WARNING Resources associated with a group of contexts can be oversubscribed.
All contexts are assigned to the "default" class, which has unlimited access to the FWSM resources, unless explicitly changed. When new classes are created and options have not been defined, the undefined values are taken from the "default" class. For example, if you create a new context and configure only options for the number of Adaptive Security Device Manager (ASDM) connections, all the other parameters are inherited from the "default" class.
To create a class, use the following command in the system execution space:
FWSM(config)# class class_name The limit-resource options are available for the total number using the limit-resource command with the option keyword, and the rate per second, using the limit-resource rate command with the option keyword for the following parameters:
• ASDM: Adaptive Security Device Manager, graphical user interface (GUI)
• Conns: The total number of connections allowed
• Fixups: The legacy name for inspection
• Hosts: The number of host entries
• IPsec: The number of Internet Protocol Security (IPsec) sessions for management
• Mac-addresses: The number of Media Access Control (MAC) address entries
• SSH: The number of Secure Shell (SSH) sessions for management
• Syslogs: The number of syslog events
• Telnet: The number of Telnet sessions for management
• Xlates: The total number of translations allowed
Now that the class has been created, it can be applied to a context using the following commands in system execution space:
FWSM(config)# context context_name FWSM(config-ctx)# member class_name
As you begin to utilize resource on the FWSM to its full potential, how they are allocated among classes and how contexts are associated with each class become important.
Was this article helpful?