Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
1
Replies

FWSM 'acl-partition' x 'np blocks increment'

Fernando Patzlaff
Level 1
Level 1

‎07-12-2011 01:27 PM - edited ‎03-11-2019 01:58 PM

Hi everyone!

I've two fwsm working in active/standby mode. I work with 5 contexts and I've 12 acl-partitions like these:

FWSM/act/8/pri# sh resource acl-partition

Total number of configured partitions = 12

Partition #0

    Mode            : non-exclusive

    List of Contexts     : fw01

    Number of contexts     : 1(RefCount:1)

    Number of rules     : 27(Max:19219)

Partition #1

    Mode            : non-exclusive

    List of Contexts     : fw02

    Number of contexts     : 1(RefCount:1)

    Number of rules     : 1530(Max:19219)

Partition #2

    Mode            : non-exclusive

    List of Contexts     : fw03

    Number of contexts     : 1(RefCount:1)

    Number of rules     : 51(Max:19219)

Partition #3

    Mode            : non-exclusive

    List of Contexts     : fw04

    Number of contexts     : 1(RefCount:1)

    Number of rules     : 224(Max:19219)

Partition #4

    Mode            : non-exclusive

    List of Contexts     : fw05

    Number of contexts     : 1(RefCount:1)

    Number of rules     : 1547(Max:19219)

Partition #5

    Mode            : non-exclusive

    List of Contexts     : none

    Number of contexts     : 0(RefCount:0)

    Number of rules     : 0(Max:19219)

Partition #6 

    Mode            : non-exclusive

    List of Contexts     : none

    Number of contexts     : 0(RefCount:0)

    Number of rules     : 0(Max:19219)

Partition #7

    Mode            : non-exclusive

    List of Contexts     : none

    Number of contexts     : 0(RefCount:0)

    Number of rules     : 0(Max:19219)

Partition #8

    Mode            : non-exclusive

    List of Contexts     : none

    Number of contexts     : 0(RefCount:0)

    Number of rules     : 0(Max:19219)

Partition #9

    Mode            : non-exclusive

    List of Contexts     : none

    Number of contexts     : 0(RefCount:0)

    Number of rules     : 0(Max:19219)

Partition #10

    Mode            : non-exclusive

    List of Contexts     : none

    Number of contexts     : 0(RefCount:0)

    Number of rules     : 0(Max:19219)

Partition #11

    Mode            : non-exclusive

    List of Contexts     : none

    Number of contexts     : 0(RefCount:0)

    Number of rules     : 0(Max:19219)

I've many increments on thresholds of np blocks daily like showed below:

FWSM/act/8/pri# sh np blocks

                 MAX   FREE   THRESH_0   THRESH_1   THRESH_2

NP1 (ingress)  32768  32704      91710   11529727  510646295

    (egress)  521206 521203          0          0          0

NP2 (ingress)  32768  32736      68720   10722600  330007417

    (egress)  521206 521206          0          0          0

NP3 (ingress)  32768  32768     114421    5635058   11278584

    (egress)  521206 520761          0          0          0

I've about 1.5 Gbps of traffic incoming and outgoing in all interfaces of firewall and about 200k connections per second.

I want to know if I reduce ACL-Partitions from 12 to 5 or to 1 can I stop these threshold be reached?

Labels:
0 Helpful
1 Reply 1

Nicolas Fournier
Cisco Employee
Cisco Employee

‎07-14-2011 02:09 PM

Hi,

Reducing the number of partitions will only give you more maximum ACL entries per context, lowering those won't help.

The only thing you can do is reduce the amount of traffic sent to the blade as these thresholds counter only increase once the blade is oversubscribed.

Regards,

Nicolas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card