How can I get the best performance to my Firewall?
I have a ASA with 8 interfaces into a single context and 1500 lines of ACL.
Is there any rule to improve more performance about ACL?
For example, what's the better option, do I need to use object-group or linear ACL?
Have Cisco any recomendations about ACL?
thanks a lot
Object-groups are really just a way to organise your access-lists in a more efficient way but they won't have a huge impact on performance. The recommendation for acls is to -
1) have more specific rules at the top and more general later
2) try and have the rules that are being hit the most near the top of the acl because as soon as a match is found in the acl processing of the acl stops. Obviously you must take into account 1) when doing this.
In addition it is quite common for a firewall rule base to grow very large due to new access being needed but often some of the older rules are no longer needed. It is worth checking on the hit count for the acls because you may find a certain amount of the rules are no longer being used.
To add a little more info to what Jon is saying, if you have a group of single hosts that will need access to the say destination on a bunch of different ports, then it is good to keep your acl count lower by setting up an Object-group for the hosts and a Service-group for the ports and a single acl for it all. This does help in keeping down the number of lines of acls you need. It also helps to setup a naming convention for the object-groups that makes it easy to remember what the group is used for. I personally have found using a combination of object-groups to keep the number of acls down to a minimum.
Thanks and Cheers!
Please remember to rate helpful posts.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :