Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
5
Helpful
4
Replies

share ACLs on ASA

tachyon05
Level 1
Level 1

‎11-05-2010 04:25 PM - edited ‎03-11-2019 12:05 PM

most of my interface specific ACLs are the same - with only the last few lines be different from interface to interface.  however, i still have to create a mostly duplicate ACL for each interface.

i know there is the global access rule which is applied as an ingress rule on all interfaces.  i thought about using the global access rules to permit traffic that every computer would need regardless of which interface it is connected to (e.g. DNS, AD, NTP, SMTP, RDP, etc), and use the interface specific rules to permit "special" traffic on each interface (e.g. computers connected to the HR interface get access to HR DB Server).

one problem i see with this setup is that interface specific rules are checked before the global rules, but there are a LOT more "hits" on the rules that are common for each interface (and those are the rules i want to move into the global rules section).

wouldn't this setup create a performance problem?

is there a different way to share ACLs on an multiple interfaces on the ASA (so i don't have to create a duplicate ACL for each interface).

Labels:
0 Helpful
4 Replies 4

mirober2
Cisco Employee
Cisco Employee

‎11-06-2010 06:40 AM

Hello,

Unfortunately, there is no way to change this behavior. This is by design since interface-specific ACLs need to take precedence over the global rules. However, I don't think you will notice any performance difference, especially if your interface ACL is not very complex. ACLs are not processed linearly so although I have not tested this case, the performance difference between putting everything in an interface ACL versus sharing rules across a global ACL and also checking a few interface rules should be negligible.

Hope that helps.

-Mike

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to mirober2

‎11-08-2010 11:16 AM

To add mrober2's suggestion, unless the ACLs are absurdly long (more than 10K rules and more depending on ASA model), there is no performance impact due to ACL evaluation. Note that packets that do have an existing connection are not checked against ACLs as it happens on the routers..

I hope it helps.

PK

tachyon05
Level 1
Level 1
In response to Panos Kampanakis

‎11-08-2010 02:27 PM

my asa configuration, if put into a txt file, is 150 kBytes in size.  each interface has about 75 rules with nested object groups for both networks and ports.

i am concerned about the performance with the implementation of global access list - because much of the interface specific acl contains rules that would get hit once a day and some would get hit once a month.  at the same time, virtually all rules in the global acl, which gets check after the interface specific acl, are getting hit much more frequently.  i just checked, within the past 5 minutes, the global rule that permits DNS traffic got hit 12820 times.

but for the asa to get to the DNS rule in the global acl, it wasted lots of cpu cycles in the interface specific acl. i guess it would be better, to have another global acl that is processed before interface specific acls.  or give admins the ability to customize how the existing global acl is processed.

thanks for all the input

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to tachyon05

‎11-08-2010 03:31 PM

75 rules, even 1K rules would have no impact at all. So I would not worry about ACL performance at all.

Take care,

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card