Re: ACE limits before performance impact?

rgnelson · ‎11-19-2012

This is my first hands on with a newer ASA, in this case a 5515-X. Also the first time I'm doing a greenfield config with the post 8.3/8.4 objects.

I can see how the object groups do actually simplify administration, not just for NAT. I've done some testing with network and service objects in ACL's and have some concerns related to performance. It seems that it’s very easy to create ACL's that get expanded into a large group of ACE's.

For instance, I've got a network object group with 10 networks, another network object group for with 5 external servers, and a service object group of 4 defined ports.

This single ACL entry is expanded into 200 ACE's.

Of course, working out subnets can help reduce this to some degree.

Where can I find performance info for the 5515-x? It has 4GB of RAM and uses a single processor core, I would think ACE's in the thousands would be possible without performance degradation.

TIA!

Jon Marshall · ‎11-19-2012

With the ASA devices there is no hard limit on the number of acl entries you can have (unlike the FWSM). It depends entirely on the amount of RAM you have. See this link for details per device -

http://www.scribd.com/doc/73309742/14/Maximum-ACL-Limits

Jon

rgnelson · ‎11-19-2012

That link is handy, pretty good presentation deck.

Since those slides (and your post) state the ACE limit is memory dependent, and the 5515-X isn't on the list and the 5520 has 2GB in its default config. Does it follow the 4GB usable* 5515-X is capable of somewhere in the order of twice the ACE entries of the 5520?

*I say 4GB, because even though it ships with 8GB, 4GB is accessible.

rgnelson · ‎11-19-2012

Also, are there drawbacks to 'object-group-search access-control'? It appears similar in concept to the compiled ACL's of yesteryear.