Cisco 7604 Configuration Manual page 79

Chapter 4 Configuring Security Contexts
Guidelines
Failure to follow these guidelines might result in dropped access list configuration as well as other
Caution
anomalies, including ACL tree corruption.
•
•
•
•
•
•
•
•
Detailed Steps
To set the size of the memory partitions, perform the following steps:
To view the current partition sizes, enter the following command:
Step 1
hostname(config)# show resource partition
For example, the following output shows that each of 12 partitions have the default 19,219 rules (this is
an example only, and might differ from the actual number of rules for your system). The backup tree
always matches the largest partition size, so it also has 19,219 rules, for a total of 249,847 rules.
hostname(config)# show resource partition
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
The target partition and rule allocation settings must be carefully calculated, planned, and preferably
tested in a non-production environment prior to making the change to ensure that all existing
contexts and rules can be accommodated.
When failover is used, both FWSMs need to be reloaded at the same time after making partition
changes. Reloading both FWSMs causes an outage with no possibility for a zero-downtime reload.
At no time should two FWSMs with a mismatched number of partitions or rule limits synchronize
over failover.
Change the number of partitions before you set the partition sizes; changing the number of partitions
affects the overall number of rules per partition. If you increase the number of partitions, for
example, then the number of rules available per partition will be smaller. Therefore, your partition
size configuration might be invalid, and you might need to reconfigure all your partition sizes.
Changing the number of partitions requires you to reload the FWSM before you change the partition
sizes; then changing the partition sizes requires a second reload.
Allocate contexts to specific partitions before you set the partition sizes (see the
Security Context" section on page
currently assigned to a partition, but you did not specifically allocate the contexts, then you run the
risk of context assignments shifting after a reload (for example if you add or subtract contexts).
Reduce the size of partition(s) before increasing the size of other partition(s). The FWSM rejects
any increases in size if there is not free space available.
If the existing number of ACEs does not fit into the new partition size, then the resizing is rejected.
In addition to the memory partitions to which the FWSM assigns contexts, the FWSM uses a backup
tree partition to process changes to rules so traffic can continue to use the old configuration until the
new configuration is ready. The backup tree must be as large as the largest partition. Therefore, some
memory is automatically assigned to the backup tree in tandem with the largest partition; so be sure
to include the backup tree in your calculations.
If you reduce the size of a partition, the FWSM checks the rule allocation (see the
Rules Between Features for a Specific Memory Partition" section on page
allocated rules between features so that the total number of rules allocated is now greater than those
available, then the FWSM rejects the resizing of the partition. Similarly, if the absolute maximum
number of rules for a feature is now exceeded, then the FWSM rejects the resizing of the partition.
4-27). If you plan all your partition sizes based on the contexts
Managing Memory for Rules
"Configuring a
"Reallocating
4-19). If you manually
4-15