10-26-2006 01:27 PM
We just recently experienced an error message on one of the firewall contexts that it has reached the maximum access-list entry. Does anyone know what is the limit of ACL entry per context or where can I find the documentaton for it. Any workaround on this issue? Thanks in advance.
Solved! Go to Solution.
10-27-2006 03:04 AM
Hello,
This value changes depending on what version of FWSM code you are running - and Cisco does not get that specific on how the FWSM calculates ACE entries for determining how many entries you have on your own.
If you run the command (the syntax may be different in 3.x code):
show np 3 acl count
You'll get an output that looks like this:
-------------- CLS Rule Current Counts --------------
CLS Filter Rule Count : 0
CLS Fixup Rule Count : 11
CLS Est Ctl Rule Count : 0
CLS AAA Rule Count : 2187
CLS Est Data Rule Count : 0
CLS Console Rule Count : 7
CLS Policy NAT Rule Count : 0
CLS ACL Rule Count : 3491
CLS ACL Uncommitted Add : 0
CLS ACL Uncommitted Del : 0
---------------- CLS Rule MAX Counts ----------------
CLS Filter MAX : 3584
CLS Fixup MAX : 32
CLS Est Ctl Rule MAX : 716
CLS Est Data Rule MAX : 716
CLS AAA Rule MAX : 5017
CLS Console Rule MAX : 2150
CLS Policy NAT Rule MAX : 3584
CLS ACL Rule MAX : 56627
The counts are your actual numbers, the MAX is the max you can have. AAA rules are counted for how many ACEs you can have applied in total with your 'aaa match' commands. From your issue, it sounds like you need to check your 'CLS ACL Rule Count' and 'CLS ACL Rule MAX' and make sure you're not getting close to that number. If you are - try limiting the number of host entries (use networks) where possible, and try using port ranges instead of individual ports in your access-list statements.
I'll try to find the 7.x syntax and post here later.
--Jason
Rate if it helps.
10-27-2006 03:04 AM
Hello,
This value changes depending on what version of FWSM code you are running - and Cisco does not get that specific on how the FWSM calculates ACE entries for determining how many entries you have on your own.
If you run the command (the syntax may be different in 3.x code):
show np 3 acl count
You'll get an output that looks like this:
-------------- CLS Rule Current Counts --------------
CLS Filter Rule Count : 0
CLS Fixup Rule Count : 11
CLS Est Ctl Rule Count : 0
CLS AAA Rule Count : 2187
CLS Est Data Rule Count : 0
CLS Console Rule Count : 7
CLS Policy NAT Rule Count : 0
CLS ACL Rule Count : 3491
CLS ACL Uncommitted Add : 0
CLS ACL Uncommitted Del : 0
---------------- CLS Rule MAX Counts ----------------
CLS Filter MAX : 3584
CLS Fixup MAX : 32
CLS Est Ctl Rule MAX : 716
CLS Est Data Rule MAX : 716
CLS AAA Rule MAX : 5017
CLS Console Rule MAX : 2150
CLS Policy NAT Rule MAX : 3584
CLS ACL Rule MAX : 56627
The counts are your actual numbers, the MAX is the max you can have. AAA rules are counted for how many ACEs you can have applied in total with your 'aaa match' commands. From your issue, it sounds like you need to check your 'CLS ACL Rule Count' and 'CLS ACL Rule MAX' and make sure you're not getting close to that number. If you are - try limiting the number of host entries (use networks) where possible, and try using port ranges instead of individual ports in your access-list statements.
I'll try to find the 7.x syntax and post here later.
--Jason
Rate if it helps.
10-27-2006 06:18 AM
How is this affected by the use of object-groups. Is a "CLS ACL Rule" equivalent to an ACE, or to each "expansion" of an ACE w/object-groups (seen when you do a "show acl")? In other words, if the object group "some-hosts" has network-objects, does the ACE:
"access-list x extended permit tcp object-group some-hosts host 10.1.1.1 eq ssh"
count as 1 or 10 CLS ACL rules?
10-28-2006 03:29 PM
lowen,
As I stated in the earlier message - Cisco isn't so clear on ACL counting - I *believe* that object groups do not affect the count.
One way you can tell about a particular access-list is when you do the 'show access-list' command it tells you that you how many elements are in it (at least on the FWSM).
Examples:
permit ip host 1.1.1.1 host 2.2.2.2 == 1 element
permit ip object-group jay-test object-group jay-test2 == 1 element
(those object groups had the hosts 1.1.1.1 and 2.2.2.2, respectively).
Now, I know I've read somewhere that not all ACEs are equal to access-list lines, but it certainly seems to be the case here.
--Jason
Please rate my answer if it answered some or all of your question.
10-30-2006 08:51 AM
Jason,
Thanks for your reply. I have been trying to look for this CLI command--this sure helps us a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: