Maximum Number Of Aces; Ip Addresses Used For Access Control Lists When You Use Nat - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
Large ACLs of approximately 60K ACEs can take 3 to 4 minutes to commit, depending on the size.
To manually commit ACLs, see the
page
For information about exceeding memory limits, see the
Maximum Number of ACEs
The FWSM supports a maximum of 80K rules for the entire system in single mode, and 142K rules for
multiple mode. Rules include ACEs, ACEs used for policy NAT, filters, AAA, ICMP, Telnet, SSH,
HTTP, and established rules. See the
Some ACLs use more memory than others, and these include ACLs that use large port number ranges or
overlapping networks (for example one ACE specifies 10.0.0.0/8 and another specifies 10.1.1.0/24).
Depending on the type of ACL, the actual limit the system can support will be less than 80K
(single mode) or 142K (multiple mode).
If you use object groups in ACEs, the number of actual ACEs that you enter is fewer, but the number of
expanded ACEs is the same as without object groups, and expanded ACEs count towards the system
limit. To view the number of expanded ACEs in an ACL, enter the show access-list acl_name command.
When you add an ACE, and the FWSM compiles the ACL, the console displays the memory used in a
message similar to the following:
Access Rules Download Complete: Memory Utilization: < 1%
If you exceed the memory limitations, you receive an error message and a system message (106024), and
all the ACLs that were added in this compilation are removed from the configuration. Only the set of
ACLs that were successfully committed in the previous commitment are used. For example, if you paste
1,000 ACEs at the prompt, and the last ACE exceeds the memory limitations, all 1,000 ACEs are
rejected.
IP Addresses Used for Access Control Lists When You Use NAT
When you use NAT, the IP addresses you specify for an ACL depend on the interface to which the ACL
is attached; you need to use addresses that are valid on the network connected to the interface. This
guideline applies for both inbound and outbound ACLs: the direction does not determine the address
used, only the interface does.
OL-6392-01
10-24.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
"Manually Committing Access Control Lists and Rules" section on
"Maximum Number of ACEs"
"Rule Limits" section on page A-5
Access Control List Overview
section.
for the limits for each rule type.
10-7
Advertisement
Table of Contents
Troubleshooting
