Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
2
Replies

firewall object groupings

suthomas1
Level 6
Level 6

‎09-14-2009 05:17 PM - edited ‎03-11-2019 09:15 AM

Gurus,

Concept of object grouping is used in firewall to have the group of host/services involved in logically single rules instead of varied lines.

Now it is seen that ACE uses only single line no. to define each object grouped rule until there is a change.

But even this way, the actual no. of lines would still be large enough degtermined by the no. of hosts or services in the object group.

Does this have any bearing on the extra lines firewall will have to parse thru.or is it simply for easier admin control.

Thanks.

Labels:
0 Helpful
2 Replies 2

Kureli Sankar
Cisco Employee
Cisco Employee

‎09-14-2009 06:51 PM

Absolutely the firewall needs to parse through all of these lines. If there are huge number of ACE then, as soon as you load that config memory consumption will be high and in case of the FWSM there are a few known issues relating to CPU spikes due to acl compilation. It is always a good idea to have your highest hit ACE in the top of the list.

0 Helpful

suthomas1
Level 6
Level 6
In response to Kureli Sankar

‎09-14-2009 10:03 PM

So, grouping is more as a tool for easier admin control rather than reducing the line count of ACE on the firewall.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card