https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035246#M895346 <HTML><HEAD></HEAD><BODY><P>There is no maximum number of ACL entries which we can accommodate in ASA. It depends upon the DRAM size.</P><P></P><P>Syed Iftekhar Ahmed</P></BODY></HTML> Wed, 08 Oct 2008 17:28:37 GMT Syed Iftekhar Ahmed 2008-10-08T17:28:37Z https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035245#M895344 <P>Hello,</P><P></P><P>Is anybody aware of the maxinum number of access list rules an ASA can take. </P><P></P><P>Thanks</P><P></P> Mon, 11 Mar 2019 13:54:46 GMT https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035245#M895344 innetsecwork 2019-03-11T13:54:46Z https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035246#M895346 <HTML><HEAD></HEAD><BODY><P>There is no maximum number of ACL entries which we can accommodate in ASA. It depends upon the DRAM size.</P><P></P><P>Syed Iftekhar Ahmed</P></BODY></HTML> Wed, 08 Oct 2008 17:28:37 GMT https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035246#M895346 Syed Iftekhar Ahmed 2008-10-08T17:28:37Z https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035247#M895348 <HTML><HEAD></HEAD><BODY><P>As your number of rules increases, the CPU load will increase as well. While there is no hard and fast limit I have had experience with a PIX 535 becoming CPU bound due to the size of the ACLs applied coupled with the complicated NAT rules and hundreds of static routes. In this case, the firewall would occasionally hit max CPU usage during peak traffic periods and start discarding packets.</P><P></P><P>Deleting ACL entries and cleaning up the config solved the issue in that situation.</P></BODY></HTML> Wed, 08 Oct 2008 19:08:30 GMT https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035247#M895348 Matthew Warrick 2008-10-08T19:08:30Z https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035248#M895349 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It is my understanding that the ASA uses around 20KB for an Access List Entry (ACE). So, the number of ACE really depends on the memory on the chassis and other features that are you planning to enable.</P><P></P><P>Below is the data sheet for the ASA that has information on various ASA platforms and memory.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html" target="_blank">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html</A> </P><P></P><P>Regards,</P><P>Arul</P><P></P><P>** Please rate all helpful posts **</P></BODY></HTML> Wed, 08 Oct 2008 19:46:01 GMT https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035248#M895349 ajagadee 2008-10-08T19:46:01Z https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035249#M895350 <HTML><HEAD></HEAD><BODY><P>adding to what has been said. I have found that many customers don't use object groups which can reduce the size of the ACLs substantially. The best approach is to create object groups, remove ACL with not hits, place the entries that are hited the most on the top of the ACL .. just my 20 cents <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P></BODY></HTML> Wed, 08 Oct 2008 21:35:31 GMT https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035249#M895350 Fernando_Meza 2008-10-08T21:35:31Z https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035250#M895351 <HTML><HEAD></HEAD><BODY><P>Hi, can you give me link for docs about ACLs processing?</P><P></P><P>It's interesting about object groups. Is there any processing docs and compare?</P></BODY></HTML> Sun, 02 Jun 2013 06:15:32 GMT https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035250#M895351 Mokeev.tel 2013-06-02T06:15:32Z https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035251#M895352 <HTML><HEAD></HEAD><BODY><P>Hello Sergey,</P><P></P><P>I have read somewhere that each element or ACL entry requires about 40-56 bytes but there is no limit specific as there is in the FWSM where is normal to get warnings if you have a huge amount on ACLs.</P><P></P><P>I would not consider normal or common on an ASA to have a problem regarding CPU/Memory due to ACL's. I have not seen it before</P><P></P><P>Hope that I could help</P></BODY></HTML> Sun, 02 Jun 2013 07:26:11 GMT https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035251#M895352 Julio Carvajal 2013-06-02T07:26:11Z https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035252#M895353 <HTML><HEAD></HEAD><BODY><P>Hi, Julio!</P><P>I'm glad to see you.</P><P></P><P>Does ASA do some optinization of ACLs?</P><P></P><P>I mean, will be there any difference if ACL lines with heavy traffic will be at lines from 1 to 10 or they will be at lines from 500 to 509?</P></BODY></HTML> Sun, 02 Jun 2013 07:40:15 GMT https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035252#M895353 Mokeev.tel 2013-06-02T07:40:15Z https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035253#M895354 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The optimization would be use object groups when possible so you can reduce the amount of ACL lines,</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>Remember to rate all of the helpful posts, that is as important as a thanks</STRONG></SPAN></P><P></P><P>Regards</P></BODY></HTML> Mon, 03 Jun 2013 16:19:10 GMT https://community.cisco.com/t5/network-security/maximum-acl-rules/m-p/1035253#M895354 Julio Carvajal 2013-06-03T16:19:10Z