cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1810
Views
10
Helpful
11
Replies

Adding 65,000+ Lines to ASA5510's config

cscheper1
Level 1
Level 1

I have been told to block all IPs outside of the United States to a particular server on the inside interface.  My plan is to make an allow ACL for an object-group that contains the network0objects for ALL of the subnets currently registered to the U.S.

 

My concern is this is over 65,000 entries and the effects such a large object-group will have on performance.  Is my concern legitimate or will the ASA be fine?

After adding 65,000+ (I was incorrect in the title) network objects and put them in a Network Object Group, the used memory only went up a few Meg. I also made a Network Object Group of the 8 Server's IPs.   I then made one Access Rule with with the Source as the 65K NG and the Destination as the Server NG and Used Memory shot over 900M.  I disabled the  Access Rule and Used Memory fell to 425M.

 

I'm already maxxed at 1G of Memory.  Anybody have a trick to help?

 

Thank you for your time,

/shep

1 Accepted Solution

Accepted Solutions

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance and increased CPU utilization. When enabled, object group search does not expand network objects, but instead searches access rules for matches based on those group definitions. You can set this option using the object-group-search access-control command.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-rules.html

View solution in original post

11 Replies 11

Bogdan Nita
VIP Alumni
VIP Alumni

As far as I know a ACE entry needs 172 bytes, so for a 1GB RAM you should be able to configure 500K ACE without performance degradation. That number can vary depending on the rest of the configuration and processes the box is running.

 

HTH

Bogdan

 

Bogdan, 

I am reasonably confident in the hardware handling the list, but my concerns are using 65,000 network-objects in an allow ACL would crush new inbound sessions trying to connect to that server.  Even if I moved that server's ACLs to the bottom of the list (there are 8 IPs on this server with various serveices allowed).

 

Are my concerns unwarranted?  What kind of lag should I expect from object-group ACL of this size?

So let's say the rules added will occupy 100MB.
A 800MHz DDR RAM should have a 25.6 GB per second speed, that means it should be able to read 100MB in approx 0,004s

Another thing I wanted to mention is that the asa stores in ram the extended access-list. (can be viewed with show access-list)
If you combine source object-groups, destination object-groups and service object-groups each one with 2 entries, you will have actually have 2x2x2+1 = 9 lines.

After adding 65,000+ (I was incorrect in the title) network objects and put them in a Network Object Group, the used memory only went up a few Meg. I also made a Network Object Group of the 8 Server's IPs.   I then made one Access Rule with with the Source as the 65K NG and the Destination as the Server NG and Used Memory shot over 900M.  I disabled the  Access Rule and Used Memory fell to 425M.


As mentioned previously asa keeps the expanded version in memory.

If I understand correctly you added 8x65k=520k lines.

To get the number of entries use: show access-list | i elements

Oh hell yes it does keep them in memory.  I've cut my Access Rule to two servers and three services and still have 386K elements.  Is there any way to get these on the CF card?

 

show access-list | i elements
access-list 100; 8 elements; name hash: 0x
access-list dmzin; 77 elements; name hash: 0x
access-list outside_access_in; 385731 elements; name hash: 0x
access-list inside_access_in; 9 elements; name hash: 0x

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance and increased CPU utilization. When enabled, object group search does not expand network objects, but instead searches access rules for matches based on those group definitions. You can set this option using the object-group-search access-control command.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-rules.html

Bogdan back with the answer AGAIN.  Superstar Status Achieved.  Thanks man.  I read RIGHT OVER this the first time.  Missed the forest for the trees.

Thanks @cscheper1.

Glad I could help !

Dennis Mink
VIP Alumni
VIP Alumni

Have you looked into Geoblocking using firepower?

Please remember to rate useful posts, by clicking on the stars below.

Of course.  However, that is a weeks long project.  I'm being pressured to do this NOW.

Review Cisco Networking for a $25 gift card