cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18310
Views
5
Helpful
9
Replies

How many ASA 5520 ACL limit.

hr-kaneko
Level 1
Level 1

Hello all,

i want to understand ASA 5520 ACL limitation as max ACEs .

in FWSM case is following link "rule limits" section.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.pdf

but in ASA case, I cant find this information.

where is this limitation in CCO?

thanks.

2 Accepted Solutions

Accepted Solutions

For you to have an idea....

The ACE structure occupies around 172 bytes.
The 5550 with 4G of RAM can support up to 2.74 million ACEs.

Federico.

View solution in original post

Magnus Mortensen
Cisco Employee
Cisco Employee

Harunobo,

     I did a little further digging on your issue and specifically for the 5520 platform, with no memory upgrade (running the default 512 MB) test showed that it could run between 200k-300k ACLs without performance degredation. Once you begin to configure more that roughly 300k ACLs, the perforamnce of the firewall may be affected. Also, if the memory on the 5520 has been upgraded (upgraded to 2GB using the cisco memeory upgrade kit) the limits on ACL size increase as well.

- Magnus

View solution in original post

9 Replies 9

Hi,

There's no hard limit on the amount of ACEs that you can have.

The ASA will allow you to continue configuring ACEs until it runs out of memory (which depends on many factors).

Normally you can safely have hundreds of thousands of entries with no problems.


Federico.

hr-kaneko
Level 1
Level 1

thank Federico for your answer,

this user has FWSM. and they use ACEs near the FWSMs limit is 11,200.

so by this experience, they focus on ASAs limit.

i understand Federico's answer, ASA has no limit if memory has free.

next, I want to know memory limit if using ACEs.

if only use ACL feature (not many VPN,routing and NAT), how many can I use ACLs.

not necessarily the exact, an approximation will do.

about 10,000? about 50,000? or about over 100,000 entries?

please tell me your experience as configured ACLs(ACEs).

regards.

For you to have an idea....

The ACE structure occupies around 172 bytes.
The 5550 with 4G of RAM can support up to 2.74 million ACEs.

Federico.

Federico

I understand your RAM calcuration.

your idea is nice, so i'll inform this calcuration to customer.

thanks, regards

Doesn't this calculation mean that the RAM is only going to be used for ACL entries?

Not sure if thats a meaningful approach!

Regards,

RP

Magnus Mortensen
Cisco Employee
Cisco Employee

Harunobo,

     I did a little further digging on your issue and specifically for the 5520 platform, with no memory upgrade (running the default 512 MB) test showed that it could run between 200k-300k ACLs without performance degredation. Once you begin to configure more that roughly 300k ACLs, the perforamnce of the firewall may be affected. Also, if the memory on the 5520 has been upgraded (upgraded to 2GB using the cisco memeory upgrade kit) the limits on ACL size increase as well.

- Magnus

Hello Magnus,

Thank you very much for your reply and I am sorry to late reply.
Your peformance information is useful.

Thanks a lot.

Hi Magnus,

This is my first post in Cisco support forums.

What is the number of Access List Entries that a Cisco FWSM module can support.

How to check the number of entries used till now ?

The memory of the module is 1024 MB RAM, Pentium 3 1000 MHz.

Balaji

The right way is to quantify the ACE limit and not ACL limit as a single ACL can have many entries in it.

Have a look at the link below for FWSM:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wpxref93963

Also look at the link below. Look at the Q&A for "Can you increase memory in order to store more Access Control Lists (ACLs)?". It also discusses a feature called "ACL       optimization", which was released in FWSM OS Version 4.0.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml

To view the total number  of rules available, the default values, current rule allocation, and the  absolute maximum number of rules you can allocate per feature, enter  the following command:

hostname(config)# show resource rule

Regards,

RP

Review Cisco Networking for a $25 gift card