ASDM multiple network objects vs group for rules

Tony Kan · ‎11-29-2011

I was just curious if there are any performance benefits of using multiple network objects on multiple rules vs consolidating them into fewer rules by grouping them?

For example, I have about 10 lines of NAT exempt rules from the same source to multiple destinations. Is there anything to be gained if I consolidated those into a single rule using an object group for the multiple destinations aside from cleaning up the clutter in ASDM?

Thanks

Julio Carvajal · ‎11-29-2011

Hello Tony,

Of course, it will be better because the processing that the ASA is going to use to determine witch rule to match would be decremented, also it would take less space on the configuration file (memory). those are some of the pros regarding creating groups for particular rules.

Sometimes a huge configuration file can increment the CPU usage,etc,etc. so it is better to keep it as small and organized as possible.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ajay chauhan · ‎11-29-2011

Well using object group is easy for sure no performance benifit but easy to manage things also less configuration is required . Consider it like if you need to same ACL -

Source is A

Destination B C D

Total 4 ACL right instead of doing that you can create two object groups Object A and B and you can add networks over there . When you will look at actual lines added would be 4.

so nothing but it makes job easy.

Thanks

Ajay