Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 Security + IOS: Maximum ACE Allowance?

Hello,

I'm trying to find out what the maximum amount of ACE's allowed to be entered in a Single ACL for the ASA5505 with Security + IOS. I've scoured the Internet, searched Cisco documentation and found nothing that would necessarily help me.

What I'm trying to find out is whether denying all IP traffic and only permitting US IP Subnets into my network is feasible or not.I've come up with  a list of US IP's to be roughly 45800 subnets (accurate as of last month). So the inbound ACL in a nutshell would be "permit US subnets" "deny anything else"

That will at least keep the scan attacks down to a minimum and if they use proxies from US servers, I can address them as they try to attack my network.

Thanks!

Everyone's tags (5)
2 REPLIES
Cisco Employee

ASA5505 Security + IOS: Maximum ACE Allowance?

Hi Jon,

There is no exact formula to determine the  max number of ACL elements as it depends upon the size of the rest of the configuration, enabled features  and vpn connections.

It has been tested up to 25K lines for ACL on the ASA5505 without performances issues, but as said before this depends completely on the rest of the configuration.

I believe you could add only permit statements (summarizing networks) and deny everything else.

Thanks,

Itzcoatl Espinosa

New Member

Re: ASA5505 Security + IOS: Maximum ACE Allowance?

Thanks for the reply. I know at the 20K ACE limit, some ISP Grade routers run out of TCAMs (I believe they were Cisco12ks and ASR9010's) and basicaly once all TCAMs are allocated, any ACE's that didn't get loaded near the end of the ACL are not being actively filtered. I've read places across the net where a single ace is 173 bytes and it's all a factor of how much memory you have available for the ACE to be placed into the ASA; however, with my past issues with the routers, I find it hard to believe you can have 300k ACE's that would consume only 512MB of RAM. Even if it took them in memory, the CPU wouldn't be able to use that list for filtering in a timely manner.

There has to be a formula especially when you want to harden your firewall with a hefty ACL blocking country IP space or just allowing your country to talk inwards.

222
Views
0
Helpful
2
Replies