Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
0
Helpful
2
Replies

FWSM: Configuration practices and performances

Go to solution
dranix2679
Level 1
Level 1

‎01-25-2012 06:40 PM - edited ‎03-11-2019 03:19 PM

Hi everyone,

I am working on a FWSM in a Cisco 7606 Router. I was looking through the current rules and was doing some housekeeping and realised that there were multiple occurances of "object-group network" and "object-group service".

From what i have understood so far, when configuring rules using the ASDM, if users do not select specific created object-group and manually typing them in, ASDM automatically creates them. For example;

Extract of configuration:

object-group network DM_INLINE_NETWORK_16

     network-object host 10.1.1.1

     network-object host 10.1.1.2

object-group network DM_INLINE_NETWORK_17

     network-object host 10.1.1.1

     network-object host 10.1.1.2

object-group network DM_INLINE_NETWORK_18

     network-object host 10.1.1.1

     network-object host 10.1.1.2

-END-

If i had done this:

object-group network TACACS_SERVER

     network-object host 10.1.1.1

     network-object host 10.1.1.2

-END-

The question is....

If i had created an object-group TACACS_SERVER and use this 1 instance of this in all my rules in the access_list, would it be better than letting ASDM create the DM_INLINE_NETWORK_16,17,18 object-groups?

Does it have any runtime performance drawback?

Which of this 2 practices is recommended?

Thank You.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-29-2012 07:29 AM

I'd suggest to use just one obj grp. Like the one that you created.  The others are duplicate of each other which will only increase the config file size.  You will not see any performance issue due to this.

-Kureli

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-29-2012 07:29 AM

I'd suggest to use just one obj grp. Like the one that you created.  The others are duplicate of each other which will only increase the config file size.  You will not see any performance issue due to this.

-Kureli

0 Helpful

Go to solution
dranix2679
Level 1
Level 1
In response to Kureli Sankar

‎01-29-2012 05:21 PM

Hi Kureli,

Thanks for your reply. I had the impression that by having multiple object-group would affect the performance of the FWSM. But anyway, i would simplify the object-group organization since it would be easier for human readability.

Thank You.

-leaving this post open for a while for further input from the community

-will close it in about a weeks time.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card