Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASDM multiple network objects vs group for rules

I was just curious if there are any performance benefits of using multiple network objects on multiple rules vs consolidating them into fewer rules by grouping them? 

For example, I have about 10 lines of NAT exempt rules from the same source to multiple destinations.  Is there anything to be gained if I consolidated those into a single rule using an object group for the multiple destinations aside from cleaning up the clutter in ASDM?

Thanks

Everyone's tags (2)
2 REPLIES

ASDM multiple network objects vs group for rules

Hello Tony,

Of course, it will be better because the processing that the ASA is going to use to determine witch rule to match would be decremented, also it would take less space on the configuration file (memory). those are some of the pros regarding creating groups for particular rules.

Sometimes a huge configuration file can increment the CPU usage,etc,etc. so it is better to keep it as small and organized as possible.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ASDM multiple network objects vs group for rules

Well using object group is easy for sure no performance benifit but easy to manage things also less configuration is required . Consider it like if you need to same ACL -

Source is A

Destination B C D

Total 4 ACL right instead of doing that you can create two object groups Object A and B and you can add networks over there . When you will look at actual lines added would be 4.

so nothing but it makes job easy.

Thanks

Ajay

504
Views
10
Helpful
2
Replies
CreatePlease to create content