ACE Limitation for FWSM

metro.gmarsh · ‎06-21-2006

Is there any plans to extend the ACE Limitation for single mode and multiple mode on a FWSM from 80 K (single mode) or 142 K (multiple mode)? and is this a shared medium for all virtual firewalls...or is it per context? and if it is shared, how do you handle 100 contexts...?

Patrick Iseli · ‎06-21-2006

See this table for the ACE Linitation:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/specs.htm#wp1054944

In multiple context mode, the FWSM partitions the memory allocated to rule configuration, and assigns each context to a partition. By default, a context belongs to one of 12 partitions that offers a maximum of 12,130 rules, including ACEs, AAA rules, and others. The FWSM assigns contexts to the partitions in the order they are loaded at startup. For example, if you have 12 contexts, each context is assigned to its own partition, and can use 12,130 rules. If you add one more context, then context number 1 and the new context number 13 are both assigned to partition 1, and can use 12,130 rules divided between them; the other 11 contexts continue to use 12,130 rules each. If you delete contexts, the partition membership does not shift, so you might have some unequal distribution until you reboot, at which time the contexts are evenly distributed.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/context.htm

There will be a new FWSM model in the next couple of month that will have more ACE available.

sincerely

Patrick

metro.gmarsh · ‎06-21-2006

Thank you for your input.