cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
5
Helpful
1
Replies

FWSM acl rules question

albert_coll
Level 1
Level 1

Hello FWSM experts,

An FWSM V4.1 blade is operating with 15 ip interfaces, each one with its specific access list.

The security managers say that maintaining a single ACL instead of 15 would represent a significant improvement. For that reason they suggest:

1)     Merging the rules of every specific ACL into a single one. By my calculations, the merged ACL would be 90.000 rules sized (close to the limit of 100.000).

2)     Applying the resulting merged ACL to every interface. (Despite having therefore each interface using no more than 10% of the ACL rules).

I hesitate whether this approach is a good principle of design in terms of both architecture and resource consumption. So I would really appreciate any advice prior to carry on.

Kind regards.

Albert.

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

Albert

I disagree with your Security Managers

The issue is that an acl is processed line by line until a match is found or it gets to the end of the acl. Unless when you merge the acl you order the lines differently for each interface then it makes no sense.

In addition searching a 90,000 acl for a line is a lot harder then searching a smaller acl per interface. Imagine a new person looking at the acl and trying to work out why well over half the lines are nothing to do with that particular interface.

Personally i wouldn't do it.

Jon

Review Cisco Networking for a $25 gift card