Hope someone can share any experiences they have with ACL changes on FWSM and what impact that has on the traffic going though the FWSM.
Scenario I am facing at the moment, let me build the picture using examples;
100,101,102,103,200,201,202 - All going through the CSM then FWSM with 50k ACL count.
100,101,102,103 and 200 stay the same, CSM and FWSM path.
201 and 203 - bypass CSM.
While 201 and 203 are being removed, we will offcourse expect an outage on those VLANS until the bypass is complete.
for the other VLANs, what impact will they see when this is taking place? we need to commit access-list, while this is taking place Cisco state that
"Large ACLs of approximately 60K ACEs can take 3 to 4 minutes to commit, depending on the size"
We have 50k of rules, while this recalculation is taking place, what is the impact on the traffic from on the VLANs we are not touching? I have conflicting reports from our firewall guys who say because the firewall will be busy recompling the rules, there will brief disruptions in all traffic passing the FWSM.
Any one here who has experience with making large changes to the ACL and if so what was the impact on the network? we have 100s of production servers in this network and it would be good to get some idea of what might happen while the firewall is busy.
Any input appreciated.
Have you enabled ACL optimization. If not, have a look at this and enable it
-Pls rate if post was useful-
Thanks for the reply.
We are already using that feature to reduce the ammout of rules in the ACL, my question is mainly around what happens to the traffic in scenario where the firewall is very busy commiting rules, does it drop packets or anything like that?
for example, what will it look like to a server that is connecting through the busy fwsm?