03-27-2018 07:58 PM - edited 02-21-2020 07:34 AM
I have been told to block all IPs outside of the United States to a particular server on the inside interface. My plan is to make an allow ACL for an object-group that contains the network0objects for ALL of the subnets currently registered to the U.S.
My concern is this is over 65,000 entries and the effects such a large object-group will have on performance. Is my concern legitimate or will the ASA be fine?
After adding 65,000+ (I was incorrect in the title) network objects and put them in a Network Object Group, the used memory only went up a few Meg. I also made a Network Object Group of the 8 Server's IPs. I then made one Access Rule with with the Source as the 65K NG and the Destination as the Server NG and Used Memory shot over 900M. I disabled the Access Rule and Used Memory fell to 425M.
I'm already maxxed at 1G of Memory. Anybody have a trick to help?
Thank you for your time,
/shep
Solved! Go to Solution.
03-29-2018 05:42 AM
You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance and increased CPU utilization. When enabled, object group search does not expand network objects, but instead searches access rules for matches based on those group definitions. You can set this option using the object-group-search access-control command.
03-28-2018 01:42 AM
As far as I know a ACE entry needs 172 bytes, so for a 1GB RAM you should be able to configure 500K ACE without performance degradation. That number can vary depending on the rest of the configuration and processes the box is running.
HTH
Bogdan
03-28-2018 05:54 AM
Bogdan,
I am reasonably confident in the hardware handling the list, but my concerns are using 65,000 network-objects in an allow ACL would crush new inbound sessions trying to connect to that server. Even if I moved that server's ACLs to the bottom of the list (there are 8 IPs on this server with various serveices allowed).
Are my concerns unwarranted? What kind of lag should I expect from object-group ACL of this size?
03-28-2018 07:27 AM
So let's say the rules added will occupy 100MB.
A 800MHz DDR RAM should have a 25.6 GB per second speed, that means it should be able to read 100MB in approx 0,004s
Another thing I wanted to mention is that the asa stores in ram the extended access-list. (can be viewed with show access-list)
If you combine source object-groups, destination object-groups and service object-groups each one with 2 entries, you will have actually have 2x2x2+1 = 9 lines.
03-28-2018 12:45 PM
After adding 65,000+ (I was incorrect in the title) network objects and put them in a Network Object Group, the used memory only went up a few Meg. I also made a Network Object Group of the 8 Server's IPs. I then made one Access Rule with with the Source as the 65K NG and the Destination as the Server NG and Used Memory shot over 900M. I disabled the Access Rule and Used Memory fell to 425M.
03-28-2018 11:38 PM
As mentioned previously asa keeps the expanded version in memory.
If I understand correctly you added 8x65k=520k lines.
To get the number of entries use: show access-list | i elements
03-29-2018 04:55 AM
Oh hell yes it does keep them in memory. I've cut my Access Rule to two servers and three services and still have 386K elements. Is there any way to get these on the CF card?
show access-list | i elements
access-list 100; 8 elements; name hash: 0x
access-list dmzin; 77 elements; name hash: 0x
access-list outside_access_in; 385731 elements; name hash: 0x
access-list inside_access_in; 9 elements; name hash: 0x
03-29-2018 05:42 AM
You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance and increased CPU utilization. When enabled, object group search does not expand network objects, but instead searches access rules for matches based on those group definitions. You can set this option using the object-group-search access-control command.
03-29-2018 06:10 AM
Bogdan back with the answer AGAIN. Superstar Status Achieved. Thanks man. I read RIGHT OVER this the first time. Missed the forest for the trees.
03-29-2018 06:29 AM
Thanks @cscheper1.
Glad I could help !
03-28-2018 05:26 AM
Have you looked into Geoblocking using firepower?
03-28-2018 05:57 AM
Of course. However, that is a weeks long project. I'm being pressured to do this NOW.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide