Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
0
Helpful
2
Replies

Firewall Performance

danielnunes
Level 1
Level 1

‎05-01-2010 03:11 PM - edited ‎03-11-2019 10:39 AM

Folks,

How can I get the best performance to my Firewall?

I have a ASA with 8 interfaces into a single context and 1500 lines of ACL.

Is there any rule to improve more performance about ACL?

For example, what's the better option, do I need to use object-group or linear ACL?

Have Cisco any recomendations about ACL?

thanks a lot

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎05-02-2010 12:56 AM 

danielnunes wrote:
Folks,
How can I get the best performance to my Firewall?
I have a ASA with 8 interfaces into a single context and 1500 lines of ACL.
Is there any rule to improve more performance about ACL?
For example, what's the better option, do I need to use object-group or linear ACL?
Have Cisco any recomendations about ACL?
thanks a lot

Daniel

Object-groups are really just a way to organise your access-lists in a more efficient way but they won't have a huge impact on performance. The recommendation for acls is to -

1) have more specific rules at the top and more general later

2) try and have the rules that are being hit the most near the top of the acl because as soon as a match is found in the acl processing of the acl stops. Obviously you must take into account 1) when doing this.

In addition it is quite common for a firewall rule base to grow very large due to new access being needed but often some of the older rules are no longer needed. It is worth checking on the hit count for the acls because you may find a certain amount of the rules are no longer being used.

Jon

0 Helpful

Kimberly Adams
Level 3
Level 3
In response to Jon Marshall

‎05-07-2010 03:24 PM

To add a little more info to what Jon is saying, if you have a group of single hosts that will need access to the say destination on a bunch of different ports, then it is good to keep your acl count lower by setting up an Object-group for the hosts and a Service-group for the ports and a single acl for it all.  This does help in keeping down the number of lines of acls you need.  It also helps to setup a naming convention for the object-groups that makes it easy to remember what the group is used for.  I personally have found using a combination of object-groups to keep the number of acls down to a minimum.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card