Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18311
Views
5
Helpful
9
Replies

How many ASA 5520 ACL limit.

Go to solution
hr-kaneko
Level 1
Level 1

‎01-28-2011 06:00 AM - edited ‎03-11-2019 12:41 PM

Hello all,

i want to understand ASA 5520 ACL limitation as max ACEs .

in FWSM case is following link "rule limits" section.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.pdf

but in ASA case, I cant find this information.

where is this limitation in CCO?

thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to hr-kaneko

‎01-28-2011 09:38 AM

For you to have an idea....

The ACE structure occupies around 172 bytes.
The 5550 with 4G of RAM can support up to 2.74 million ACEs.

Federico.

View solution in original post

0 Helpful

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee

‎02-24-2011 09:55 AM

Harunobo,

     I did a little further digging on your issue and specifically for the 5520 platform, with no memory upgrade (running the default 512 MB) test showed that it could run between 200k-300k ACLs without performance degredation. Once you begin to configure more that roughly 300k ACLs, the perforamnce of the firewall may be affected. Also, if the memory on the 5520 has been upgraded (upgraded to 2GB using the cisco memeory upgrade kit) the limits on ACL size increase as well.

- Magnus

View solution in original post

9 Replies 9

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-28-2011 07:49 AM

Hi,

There's no hard limit on the amount of ACEs that you can have.

The ASA will allow you to continue configuring ACEs until it runs out of memory (which depends on many factors).

Normally you can safely have hundreds of thousands of entries with no problems.


Federico.

0 Helpful

Go to solution
hr-kaneko
Level 1
Level 1

‎01-28-2011 08:17 AM

thank Federico for your answer,

this user has FWSM. and they use ACEs near the FWSMs limit is 11,200.

so by this experience, they focus on ASAs limit.

i understand Federico's answer, ASA has no limit if memory has free.

next, I want to know memory limit if using ACEs.

if only use ACL feature (not many VPN,routing and NAT), how many can I use ACLs.

not necessarily the exact, an approximation will do.

about 10,000? about 50,000? or about over 100,000 entries?

please tell me your experience as configured ACLs(ACEs).

regards.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to hr-kaneko

‎01-28-2011 09:38 AM

For you to have an idea....

The ACE structure occupies around 172 bytes.
The 5550 with 4G of RAM can support up to 2.74 million ACEs.

Federico.

0 Helpful

Go to solution
hr-kaneko
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-08-2011 02:49 AM

Federico

I understand your RAM calcuration.

your idea is nice, so i'll inform this calcuration to customer.

thanks, regards

0 Helpful

Go to solution
rehanp
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-14-2011 07:40 AM

Doesn't this calculation mean that the RAM is only going to be used for ACL entries?

Not sure if thats a meaningful approach!

Regards,

RP

0 Helpful

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee

‎02-24-2011 09:55 AM

Harunobo,

     I did a little further digging on your issue and specifically for the 5520 platform, with no memory upgrade (running the default 512 MB) test showed that it could run between 200k-300k ACLs without performance degredation. Once you begin to configure more that roughly 300k ACLs, the perforamnce of the firewall may be affected. Also, if the memory on the 5520 has been upgraded (upgraded to 2GB using the cisco memeory upgrade kit) the limits on ACL size increase as well.

- Magnus

Go to solution
hr-kaneko
Level 1
Level 1
In response to Magnus Mortensen

‎03-03-2011 11:38 PM

Hello Magnus,

Thank you very much for your reply and I am sorry to late reply.
Your peformance information is useful.

Thanks a lot.

0 Helpful

Go to solution
prbalajianand
Level 1
Level 1
In response to Magnus Mortensen

‎01-28-2013 08:12 PM

Hi Magnus,

This is my first post in Cisco support forums.

What is the number of Access List Entries that a Cisco FWSM module can support.

How to check the number of entries used till now ?

The memory of the module is 1024 MB RAM, Pentium 3 1000 MHz.

0 Helpful

Go to solution
rehanp
Level 1
Level 1
In response to prbalajianand

‎01-29-2013 07:20 AM

Balaji

The right way is to quantify the ACE limit and not ACL limit as a single ACL can have many entries in it.

Have a look at the link below for FWSM:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wpxref93963

Also look at the link below. Look at the Q&A for "Can you increase memory in order to store more Access Control Lists (ACLs)?". It also discusses a feature called "ACL       optimization", which was released in FWSM OS Version 4.0.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml

To view the total number  of rules available, the default values, current rule allocation, and the  absolute maximum number of rules you can allocate per feature, enter  the following command: 

hostname(config)# show resource rule

Regards,

RP

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card