cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1191
Views
5
Helpful
4
Replies

FWSM Firewall Context Access-List Entry Limitation

orlan.marquez
Level 1
Level 1

We just recently experienced an error message on one of the firewall contexts that it has reached the maximum access-list entry. Does anyone know what is the limit of ACL entry per context or where can I find the documentaton for it. Any workaround on this issue? Thanks in advance.

1 Accepted Solution

Accepted Solutions

jgervia_2
Level 1
Level 1

Hello,

This value changes depending on what version of FWSM code you are running - and Cisco does not get that specific on how the FWSM calculates ACE entries for determining how many entries you have on your own.

If you run the command (the syntax may be different in 3.x code):

show np 3 acl count

You'll get an output that looks like this:

-------------- CLS Rule Current Counts --------------

CLS Filter Rule Count : 0

CLS Fixup Rule Count : 11

CLS Est Ctl Rule Count : 0

CLS AAA Rule Count : 2187

CLS Est Data Rule Count : 0

CLS Console Rule Count : 7

CLS Policy NAT Rule Count : 0

CLS ACL Rule Count : 3491

CLS ACL Uncommitted Add : 0

CLS ACL Uncommitted Del : 0

---------------- CLS Rule MAX Counts ----------------

CLS Filter MAX : 3584

CLS Fixup MAX : 32

CLS Est Ctl Rule MAX : 716

CLS Est Data Rule MAX : 716

CLS AAA Rule MAX : 5017

CLS Console Rule MAX : 2150

CLS Policy NAT Rule MAX : 3584

CLS ACL Rule MAX : 56627

The counts are your actual numbers, the MAX is the max you can have. AAA rules are counted for how many ACEs you can have applied in total with your 'aaa match' commands. From your issue, it sounds like you need to check your 'CLS ACL Rule Count' and 'CLS ACL Rule MAX' and make sure you're not getting close to that number. If you are - try limiting the number of host entries (use networks) where possible, and try using port ranges instead of individual ports in your access-list statements.

I'll try to find the 7.x syntax and post here later.

--Jason

Rate if it helps.

View solution in original post

4 Replies 4

jgervia_2
Level 1
Level 1

Hello,

This value changes depending on what version of FWSM code you are running - and Cisco does not get that specific on how the FWSM calculates ACE entries for determining how many entries you have on your own.

If you run the command (the syntax may be different in 3.x code):

show np 3 acl count

You'll get an output that looks like this:

-------------- CLS Rule Current Counts --------------

CLS Filter Rule Count : 0

CLS Fixup Rule Count : 11

CLS Est Ctl Rule Count : 0

CLS AAA Rule Count : 2187

CLS Est Data Rule Count : 0

CLS Console Rule Count : 7

CLS Policy NAT Rule Count : 0

CLS ACL Rule Count : 3491

CLS ACL Uncommitted Add : 0

CLS ACL Uncommitted Del : 0

---------------- CLS Rule MAX Counts ----------------

CLS Filter MAX : 3584

CLS Fixup MAX : 32

CLS Est Ctl Rule MAX : 716

CLS Est Data Rule MAX : 716

CLS AAA Rule MAX : 5017

CLS Console Rule MAX : 2150

CLS Policy NAT Rule MAX : 3584

CLS ACL Rule MAX : 56627

The counts are your actual numbers, the MAX is the max you can have. AAA rules are counted for how many ACEs you can have applied in total with your 'aaa match' commands. From your issue, it sounds like you need to check your 'CLS ACL Rule Count' and 'CLS ACL Rule MAX' and make sure you're not getting close to that number. If you are - try limiting the number of host entries (use networks) where possible, and try using port ranges instead of individual ports in your access-list statements.

I'll try to find the 7.x syntax and post here later.

--Jason

Rate if it helps.

How is this affected by the use of object-groups. Is a "CLS ACL Rule" equivalent to an ACE, or to each "expansion" of an ACE w/object-groups (seen when you do a "show acl")? In other words, if the object group "some-hosts" has network-objects, does the ACE:

"access-list x extended permit tcp object-group some-hosts host 10.1.1.1 eq ssh"

count as 1 or 10 CLS ACL rules?

lowen,

As I stated in the earlier message - Cisco isn't so clear on ACL counting - I *believe* that object groups do not affect the count.

One way you can tell about a particular access-list is when you do the 'show access-list' command it tells you that you how many elements are in it (at least on the FWSM).

Examples:

permit ip host 1.1.1.1 host 2.2.2.2 == 1 element

permit ip object-group jay-test object-group jay-test2 == 1 element

(those object groups had the hosts 1.1.1.1 and 2.2.2.2, respectively).

Now, I know I've read somewhere that not all ACEs are equal to access-list lines, but it certainly seems to be the case here.

--Jason

Please rate my answer if it answered some or all of your question.

Jason,

Thanks for your reply. I have been trying to look for this CLI command--this sure helps us a lot.