Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1400
Views
0
Helpful
4
Replies

FWSM memory partitions

e-chuah
Level 1
Level 1

‎12-02-2009 01:38 AM - edited ‎03-11-2019 09:44 AM

Hi,

I have a questions on FWSM memory partition. I understand that there are 12 memory partitions and we can configure how many partitions we need.

If i set the number of partition to 6, then each partition will have more resources compared to if i set the number of partitions to 12.

Can i just set the number of partition to 1, then in this case, i have one big memory partition which all the contexts i created will use.

My client (running 3.X) has 6 partitions of equal size. One of the partition is running out of resource and the other partitions still have plenty of resources. I undertand that 4.x has some enhancement on resource allocation. I am just thinking if it might be easier just to have one large partition and any context just use that pool of resrouces. In this way, it will keep things simple..

Has anyone tried this before? Anything i should take note of if i do this?

Thanks

Eng Wee

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎12-02-2009 03:46 AM 

e-chuah wrote:
 
Hi,
I have a questions on FWSM memory partition. I understand that there are 12 memory partitions and we can configure how many partitions we need.
If i set the number of partition to 6, then each partition will have more resources compared to if i set the number of partitions to 12.
Can i just set the number of partition to 1, then in this case, i have one big memory partition which all the contexts i created will use.
My client (running 3.X) has 6 partitions of equal size. One of the partition is running out of resource and the other partitions still have plenty of resources. I undertand that 4.x has some enhancement on resource allocation. I am just thinking if it might be easier just to have one large partition and any context just use that pool of resrouces. In this way, it will keep things simple..
Has anyone tried this before? Anything i should take note of if i do this?
Thanks
Eng Wee

Eng

You can do this but i wouldn't recommend it. The whole idea of using memory partitions is to protect virtual firewalls from each other. If you have one big partition with all contexts in and one context consumes all resources then all contexts suffer.

Jon

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎12-02-2009 06:49 AM

FWSM 4.x

Total Partitions        ACLs
     12          19219
     11          20821
     10          22714
     9          24985
     8          27761
     7          31232
     6          35693
     5          41642
     4          49971
     3          62464
     2          83285
     1          124928


There is also acl optimization in 4.x. 
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/product_bulletin_c25-478751.html


I agree with Jon. May be you can go to 3 partitions and point all the smaller contexts to one partition and give 
the bigger context its own partition.

-KS


0 Helpful

e-chuah
Level 1
Level 1
In response to Kureli Sankar

‎12-04-2009 03:01 AM

kusankar & Jon,  Thanks for the reply. I managed to get hold of a FWSM and downloaded 4.x to test.  With 1 partition, you get 124928 rules in total excluding the backup tree with 2 partitions, you get 166570 rules in total excluding the backup tree. with 12 partitions, you get 230628 rules in total excluding the backup tree  This is because of the backup tree partition which is equivalent to the size of the biggest partition. So even with one partition, it doesn't mean you can have more context as the total number of rules are also reduced.   Rgds Eng Wee

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to e-chuah

‎12-04-2009 05:56 AM

Looks like you would have to move this big context to a separate firewall. Have you looked at the ASA5580s?

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card