FWSM ACL Resource Allocation

Posted by Ryan in Friday, June 6th 2008   
Topics: Infosec
Tags: ,

This is rather trivial in terms of technicality, but when you’re planning your implementation of a Firewall Services Module (FWSM) into your Cisco Catalyst 6500, you want to think about how many “firewalls” you’re going to be employing and approximately how many ACLs you are going to leverage within said firewalls. The importance is ACL resource allocation. There are a finite number of rules you can use within each virtual firewall and this number is determined by the allocation space - or pools if you will. The greater number of pools, the lower the number of ACLs you can use per pool. Also of note, if you have an amount of firewalls that exceeds your acl pools, the overlapping firewalls will share pools. For example, if you have 6 ACL pools and 7 firewalls, firewall 1 and firewall 7 will share ACL pool 1. Simple. The default amount of pools is 12¹.

What does a typical ACL pool consist of in terms of amount of ACEs you can use? A short excerpt from my FWSM:

FWSM# show resource acl-partition
Total number of configured partitions = 12
Partition #0
Mode                    : non-exclusive
List of Contexts        : admin
Number of contexts      : 1(RefCount:1)
Number of rules         : 17(Max:14173)
Partition #1
Mode                    : non-exclusive
List of Contexts        : main-fw
Number of contexts      : 1(RefCount:1)
Number of rules         : 10751(Max:14173)

With 12 ACL partitions/pools, you can have approximately 14,173 rules. That’s a lot it seems no? Well, it is but it depends where on your network this firewall resides, how protected that network needs to be (in terms of granularity), and how many interfaces said firewall has (remember, this is a virtual firewall using VLANs off of the 6500 as assigned interfaces).

The main-fw firewall shown above is about 75% full of its acl usage. Since we don’t have a need for 12 static firewall pools, lets decrease it to 6 (which is still more than we need) and double our ACL space.

FWSM# configure terminal
FWSM(config)# resource acl-partition 6
WARNING: This command leads to re-paritioning of ACL Memory.

It will not take affect until you save the configuration and reboot.
FWSM(config)#reload

The FWSM typically takes a few minutes to reload, but upon reboot it will have the new ACL partitions without changing your context configurations.

[1] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide

Related Post

Spread the word

Digg this post

Bookmark to delicious

Stumble the post

Add to your technorati favourite

Subscribes to this post

Leave Your Comments Below

« Cross Site Request Forgery
Subtle Differences »