Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1394
Views
0
Helpful
4
Replies

FWSM ACL Commit - Outage?

xusenator
Level 1
Level 1

‎08-15-2012 01:58 PM - edited ‎03-11-2019 04:42 PM

Hello Folks,

Hope someone can share any experiences they have with ACL changes on FWSM and what impact that has on the traffic going though the FWSM.

Scenario I am facing at the moment, let me build the picture using examples;

----

Current Setup

VLANs

100,101,102,103,200,201,202 - All going through the CSM then FWSM with 50k ACL count.

----

New Setup

VLANs

100,101,102,103 and 200 stay the same, CSM and FWSM path.

201 and 203 - bypass CSM.

----

While 201 and 203 are being removed, we will offcourse expect an outage on those VLANS until the bypass is complete.

for the other VLANs, what impact will they see when this is taking place? we need to commit access-list, while this is taking place Cisco state that

"Large ACLs of approximately 60K ACEs can take 3 to 4 minutes to commit, depending on the size"

We have 50k of rules, while this recalculation is taking place, what is the impact on the traffic from on the VLANs we are not touching? I have conflicting reports from our firewall guys who say because the firewall will be busy recompling the rules, there will brief disruptions in all traffic passing the FWSM.

Any one here who has experience with making large changes to the ACL and if so what was the impact on the network? we have 100s of production servers in this network and it would be good to get some idea of what might happen while the firewall is busy.

Any input appreciated.

Thanks

Labels:
0 Helpful
4 Replies 4

zujalal
Cisco Employee
Cisco Employee

‎08-15-2012 04:29 PM

Hi.

Have you enabled ACL optimization. If not, have a look at this and enable it

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/traffc_f.html#wp1068726

Thanks

Zubair

-Pls rate if post was useful-

0 Helpful

xusenator
Level 1
Level 1
In response to zujalal

‎08-15-2012 05:26 PM

Hi zujalal,

Thanks for the reply.

We are already using that feature to reduce the ammout of rules in the ACL, my question is mainly around what happens to the traffic in scenario where the firewall is very busy commiting rules, does it drop packets or anything like that?

for example, what will it look like to a server that is connecting through the busy fwsm?

Regards

0 Helpful

zujalal
Cisco Employee
Cisco Employee
In response to xusenator

‎08-15-2012 06:24 PM

Are you using manual commit or auto-commit.

0 Helpful

xusenator
Level 1
Level 1
In response to zujalal

‎08-16-2012 12:32 AM

Manual commit is what we will be using given the ammount of changes we need to do.

0 Helpful
Review Cisco Networking for a $25 gift card
Top