11-07-2018 01:04 AM - edited 03-05-2019 11:02 AM
Hello
I have already posted this in the security forum and as of yet had no feedback so now i am trying R/S forum just in case someone could answer this.
Our own FW admins dont know and I cannot find any documentation on CCO, The answer I am looking for is on how the ace limitation on the above FSM is actually calculated.
What I mean is, What constitutes a single ace instance or multiple?
Example:
Does an object equal 1 instance or is a calculation also performed on what resides in that object
Same for an ip range, Does this count as just one instance or multiple depending on the size of the ip range specified
Solved! Go to Solution.
11-07-2018 01:00 PM
Hi Paul
It's been a while since I have used the FWSM but object groups are expanded and then each line would be an individual entry.
I did a quick search on this site as I remember this coming up before and found this answer which may be of help -
https://community.cisco.com/t5/firewalls/how-ace-s-are-counted-on-an-fwsm/td-p/1339992
Jon
11-07-2018 01:00 PM
Hi Paul
It's been a while since I have used the FWSM but object groups are expanded and then each line would be an individual entry.
I did a quick search on this site as I remember this coming up before and found this answer which may be of help -
https://community.cisco.com/t5/firewalls/how-ace-s-are-counted-on-an-fwsm/td-p/1339992
Jon
11-07-2018 01:20 PM
Hello
Thanks Jon, This has given me a starting point to work with, Its just a shame that link doesn't work.
Whats your personal view on ip ranges would you say the same rule should apply to them also?, Infact thinking about it i guess I should be able to apply a fake rule with an ip range and see the ace total increment with this command sh np 3 acl count
+5 Jon
very much appreciated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide