09-09-2009 04:23 AM - edited 03-11-2019 09:13 AM
Hello. We've recently outsourced a large IT project to a very well known solutions provider. The infrastructure is being hosted at their facility, with about 40 servers, segregated into different security zones using an FWSM in a 6500 (our original design). We've recently come to discover that the FWSM, which we bought and is being used only for us, has over 41,000 rules on it already.
After being able to look at the rule base, we've noticed a lot of very strange things. There are approx 20 domain controllers on scattered around various parts of our network, each needing to get out on the network on the exact same ports. But, what we've noticed that what they've done is create a separate rule (ACL) for every server and every port that is needed. This alone translates to somewhere in the neighborhood of 18,000 rules.
Would it not have made sense to use an object group (I'm not an FWSM expert, we assumed the solution provider was) in order to cut down on the number of ACL's, or would it still somehow add up to the same number? We are already almost half way through the allowed number of rules on the FWSM.
Any info would be much appreciated.
09-09-2009 04:46 AM
Whether you use individual lines or use object-groups it will all tree down and contribute to the total ACE count.
sh np 3 acl count
is a good command and will provide a lot of data. You can add a line and remove a line and watch what the above output shows.
There are two limits that an FWSM can hit.
One is the total acl count and the other is total nodes count. Each ACE may takes two nodes or sometimes even more.
Re-partition the acl space and reduce the number of partitions, will
increase the number ACE that you can have per partition. This will not
double it as we have to allocate an area known as the backup area which is
as big as the biggest partition in 4.0 or like any other partition in 3.x
and earlier so, it will certainly increase but, not exactly double.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/qr.hâtâ
ml#wp1622931
hostname(config)# resource acl-partition 4
This configuration command leads to repartitioning of ACL memory. It will
not take effect unless you save the configuration to startup configuration
and reboot.
Changing the number of partitions requires you to reload the FWSM. If you
are using failover, you must also reload the other failover unit because the
memory partitions must match on both units.
Traffic loss can occur because both units are down at the same time.
Good luck.
09-09-2009 05:09 AM
Thanks for the response. One thing I'm having trouble wrapping my head around is how we can be using 41,000 rules in an environment that only has 40 servers.
One obvious problem I can see is that only two domain controllers actually exist at the providers location, but they have rules to and from all of them. For example, DC1 --> DC2 on x ports, but neither of these DC's even exist at that location. Apparently someone just got the list of DC's, and entered the same rules for each DC. This accounts for at least 5000 rules that I can count so far.
09-12-2009 02:26 PM
If you have a simple acl below
access-list test permit ip host 10.10.10.1 192.168.1.1
Then it will only take two nodes space counted as just one ACE. At the same time if you have an object group for the source and have 5,6 hosts and another object group for the destination with 5,6 hosts and allow only tcp ports (may be 10-20) now this will tree down to many ACE.
If you have a lab setup you are welcome to issue a clear config access-list and remove all the access-list and add one by one and look at the sh np 3 acl count.
Also, if you issue "sh run access-list" and see ACE with zero hitcounts you should try to remove them.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: