How ACE's are counted on an FWSM

Unanswered Question
Sep 9th, 2009

Hello. We've recently outsourced a large IT project to a very well known solutions provider. The infrastructure is being hosted at their facility, with about 40 servers, segregated into different security zones using an FWSM in a 6500 (our original design). We've recently come to discover that the FWSM, which we bought and is being used only for us, has over 41,000 rules on it already.

After being able to look at the rule base, we've noticed a lot of very strange things. There are approx 20 domain controllers on scattered around various parts of our network, each needing to get out on the network on the exact same ports. But, what we've noticed that what they've done is create a separate rule (ACL) for every server and every port that is needed. This alone translates to somewhere in the neighborhood of 18,000 rules.

Would it not have made sense to use an object group (I'm not an FWSM expert, we assumed the solution provider was) in order to cut down on the number of ACL's, or would it still somehow add up to the same number? We are already almost half way through the allowed number of rules on the FWSM.

Any info would be much appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Wed, 09/09/2009 - 04:46

Whether you use individual lines or use object-groups it will all tree down and contribute to the total ACE count.

sh np 3 acl count

is a good command and will provide a lot of data. You can add a line and remove a line and watch what the above output shows.

There are two limits that an FWSM can hit.

One is the total acl count and the other is total nodes count. Each ACE may takes two nodes or sometimes even more.

Re-partition the acl space and reduce the number of partitions, will

increase the number ACE that you can have per partition. This will not

double it as we have to allocate an area known as the backup area which is

as big as the biggest partition in 4.0 or like any other partition in 3.x

and earlier so, it will certainly increase but, not exactly double.​t​


hostname(config)# resource acl-partition 4

This configuration command leads to repartitioning of ACL memory. It will

not take effect unless you save the configuration to startup configuration

and reboot.

Changing the number of partitions requires you to reload the FWSM. If you

are using failover, you must also reload the other failover unit because the

memory partitions must match on both units.

Traffic loss can occur because both units are down at the same time.

Good luck.

poulid Wed, 09/09/2009 - 05:09

Thanks for the response. One thing I'm having trouble wrapping my head around is how we can be using 41,000 rules in an environment that only has 40 servers.

One obvious problem I can see is that only two domain controllers actually exist at the providers location, but they have rules to and from all of them. For example, DC1 --> DC2 on x ports, but neither of these DC's even exist at that location. Apparently someone just got the list of DC's, and entered the same rules for each DC. This accounts for at least 5000 rules that I can count so far.

Kureli Sankar Sat, 09/12/2009 - 14:26

If you have a simple acl below

access-list test permit ip host

Then it will only take two nodes space counted as just one ACE. At the same time if you have an object group for the source and have 5,6 hosts and another object group for the destination with 5,6 hosts and allow only tcp ports (may be 10-20) now this will tree down to many ACE.

If you have a lab setup you are welcome to issue a clear config access-list and remove all the access-list and add one by one and look at the sh np 3 acl count.

Also, if you issue "sh run access-list" and see ACE with zero hitcounts you should try to remove them.


This Discussion