Firewall Performance

Unanswered Question
May 1st, 2010

Folks,

How can I get the best performance to my Firewall?

I have a ASA with 8 interfaces into a single context and 1500 lines of ACL.


Is there any rule to improve more performance about ACL?

For example, what's the better option, do I need to use object-group or linear ACL?

Have Cisco any recomendations about ACL?


thanks a lot

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 05/02/2010 - 00:56

danielnunes wrote:


Folks,

How can I get the best performance to my Firewall?

I have a ASA with 8 interfaces into a single context and 1500 lines of ACL.


Is there any rule to improve more performance about ACL?

For example, what's the better option, do I need to use object-group or linear ACL?

Have Cisco any recomendations about ACL?


thanks a lot


Daniel


Object-groups are really just a way to organise your access-lists in a more efficient way but they won't have a huge impact on performance. The recommendation for acls is to -


1) have more specific rules at the top and more general later


2) try and have the rules that are being hit the most near the top of the acl because as soon as a match is found in the acl processing of the acl stops. Obviously you must take into account 1) when doing this.


In addition it is quite common for a firewall rule base to grow very large due to new access being needed but often some of the older rules are no longer needed. It is worth checking on the hit count for the acls because you may find a certain amount of the rules are no longer being used.


Jon

Kimberly Adams Fri, 05/07/2010 - 15:24

To add a little more info to what Jon is saying, if you have a group of single hosts that will need access to the say destination on a bunch of different ports, then it is good to keep your acl count lower by setting up an Object-group for the hosts and a Service-group for the ports and a single acl for it all.  This does help in keeping down the number of lines of acls you need.  It also helps to setup a naming convention for the object-groups that makes it easy to remember what the group is used for.  I personally have found using a combination of object-groups to keep the number of acls down to a minimum.


Thanks,


Kimberly

Actions

This Discussion