Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

share ACLs on ASA

most of my interface specific ACLs are the same - with only the last few lines be different from interface to interface.  however, i still have to create a mostly duplicate ACL for each interface.

i know there is the global access rule which is applied as an ingress rule on all interfaces.  i thought about using the global access rules to permit traffic that every computer would need regardless of which interface it is connected to (e.g. DNS, AD, NTP, SMTP, RDP, etc), and use the interface specific rules to permit "special" traffic on each interface (e.g. computers connected to the HR interface get access to HR DB Server).

one problem i see with this setup is that interface specific rules are checked before the global rules, but there are a LOT more "hits" on the rules that are common for each interface (and those are the rules i want to move into the global rules section).

wouldn't this setup create a performance problem?

is there a different way to share ACLs on an multiple interfaces on the ASA (so i don't have to create a duplicate ACL for each interface).

4 REPLIES
Gold

Re: share ACLs on ASA

Hello,

Unfortunately, there is no way to change this behavior. This is by design since interface-specific ACLs need to take precedence over the global rules. However, I don't think you will notice any performance difference, especially if your interface ACL is not very complex. ACLs are not processed linearly so although I have not tested this case, the performance difference between putting everything in an interface ACL versus sharing rules across a global ACL and also checking a few interface rules should be negligible.

Hope that helps.

-Mike

Cisco Employee

Re: share ACLs on ASA

To add mrober2's suggestion, unless the ACLs are absurdly long (more than 10K rules and more depending on ASA model), there is no performance impact due to ACL evaluation. Note that packets that do have an existing connection are not checked against ACLs as it happens on the routers..

I hope it helps.

PK

New Member

Re: share ACLs on ASA

my asa configuration, if put into a txt file, is 150 kBytes in size.  each interface has about 75 rules with nested object groups for both networks and ports.

i am concerned about the performance with the implementation of global access list - because much of the interface specific acl contains rules that would get hit once a day and some would get hit once a month.  at the same time, virtually all rules in the global acl, which gets check after the interface specific acl, are getting hit much more frequently.  i just checked, within the past 5 minutes, the global rule that permits DNS traffic got hit 12820 times.

but for the asa to get to the DNS rule in the global acl, it wasted lots of cpu cycles in the interface specific acl. i guess it would be better, to have another global acl that is processed before interface specific acls.  or give admins the ability to customize how the existing global acl is processed.

thanks for all the input

Cisco Employee

Re: share ACLs on ASA

75 rules, even 1K rules would have no impact at all. So I would not worry about ACL performance at all.

Take care,

PK

306
Views
5
Helpful
4
Replies