cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
731
Views
0
Helpful
3
Replies

FWSM ACE limitation reached

Colin Higgins
Level 2
Level 2

I have a FWSM card running IOS ver 3 code that has reached its ACE limitation. I cannot add any new statements.

So I have some questions regarding this:

1. Does the FWSM count each object defined in a network object group as an individual ACE?

2. Does the FWSM count objects that are within the configuration but not used in ACLs against the ACE count? In other words, if I have a network object group with 300 objects in it, but it isn't being referenced by an ACL, is this being looked at by the FWSM as an ACE?

3. Will replacing a ACE that uses an object group with 250 hosts in it with an ACE that permits (or denies) a subnet with those hosts inside it reduce the ACE aggregate?

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Colin

As memory serves -

1) the FWSM will expand any line in acl using an object-group into it's individual entries and each will be an ACE so an object-group with 20 entries will amount to 20 ACEs

2) if the object-group is not referenced in an ACL then it will not be counted. Only entries in an ACL are counted as ACEs

3) yes it would reduce it from 250 ACEs to one if you are only using one subnet entry

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Colin

As memory serves -

1) the FWSM will expand any line in acl using an object-group into it's individual entries and each will be an ACE so an object-group with 20 entries will amount to 20 ACEs

2) if the object-group is not referenced in an ACL then it will not be counted. Only entries in an ACL are counted as ACEs

3) yes it would reduce it from 250 ACEs to one if you are only using one subnet entry

Jon

Do ACL remarks count against the ACE limit?

Colin

As far as i know remarks are not counted as ACEs as traffic is not checked against them. I can't find anything definitive in the docs either way though.

Jon

Review Cisco Networking for a $25 gift card