Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
0
Helpful
4
Replies

Cisco ASA ACL test pack for performance testing

jacques_henry696
Level 1
Level 1

‎01-19-2011 01:54 PM - edited ‎03-11-2019 12:37 PM

Hello,

I am trying to measure the performances of my ASA using a traffic generator (IXIA chassis) and in order to get "real-life" values (latency, throughput, etc), I need my firewall to be configured properly. I have then two questions:

- Where can I get or generate an ACL "test pack"? I mean a *lot* of real (extended or not) ACLs so that the firewall will have to compute a lot (!).

- Is the firewall really going through each ACL one by one by order? I mean, if I put my ACL authorizing my testing traffic at the end of the ACLs list, will the ASA go through each ACL until the end, or is it more "intelligent" than that? i.e. does the number of ACLs and the order of them have an influence on the performances of the firewall?

Thanks!

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎01-19-2011 02:04 PM

I don't know of any ACL packs. Some of mine are close to a hundred and use objects groups so if they were line by line they would be more. Are you talking hundreds or thousands? With an advance text editor you could create a couple hundred ACL entries rather quickly.

The firewall will read the ACLs from top to bottom. If a match is found (permit or deny) the firewall then stops processing the ACL for that packet.

0 Helpful

jacques_henry696
Level 1
Level 1
In response to Collin Clark

‎01-19-2011 10:16 PM

Thanks for your feedback.

I am really talking about thousands of ACLs, yes. I guess i could use my Cisco Security Manager and see what I can do... Or Excel?

Ok so if the ACLs are processed in a "predictable" way (top to bottom), then I suppose the position of the matching ACL will impact the performances of the firewall.

By the way, do you know the max number of access entries model by model (5520, 5540, etc)?

Thanks again,

Florent

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to jacques_henry696

‎01-20-2011 06:07 AM

You bet the order is important! Depending on the location & purpose of the firewall, you'll want to put common protocols at the top. ACL's are limited by memory, not by platform. I have not been able to find a command that shows ACL utilization or an estimated memory allocation, but I'll keep looking. I also found this-

Troubleshoot

Problem

One of these error messages appears:

error message: "ERROR: Unable to add, access-list config limit reached"

error message: "ERROR: Unable to add, fixup config limit reached occurred"

Resolution

This error message indicates that the security appliance is close to the limit on the ACL for this context.

Refer to Specifications for information about how the FWSM allocates its resources.

The mapping between the rules and the memory allocation is not a one to one mapping. It actually depends on the rule, and how it is programmed in hardware. There are two options available in order to maximize the use of your ACE memory:

Simplify ACE Entries

These recommended practices allow you to summarize and simplify your ACE entries:

  • Use contiguous host addresses whenever possible. Aggegrate host statements in ACEs/object-groups into networks.
  • Use 'any' instead of networks, and use networks instead of hosts when possible.
  • Try to simplify object-groups. This can potentially save hundreds of ACEs when the ACLs are expanded.
  • Group together individual port statements into a range, for example.

0 Helpful

jacques_henry696
Level 1
Level 1
In response to Collin Clark

‎01-20-2011 10:04 AM

Ok thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card