Feb 6, 2013

Multi-context FWSM ACL partition


When you convert a FWSM from single to multiple mode (security contexts), the system creates pools of resources (aka partitions). These pools limit the number of rules (ACEs, AAA rules, Policy NAT, and others) that can be created on each context. The FWSM uses 12 partitions by default (maximum value) and each context is assigned to its own partition, unless you have more than twelve contexts. In this case, the system will assign more than one context to each partition, sharing resources between them.


If you have less than twelve contexts, it is a good idea to reduce the number of partitions and optimize resource utilization. The following commands are used to change the number of partitions and monitor resources:

resource acl-partition number_of_partitions

 FWSM# show resource partition
                        Bootup     Current
 Partition   Default  Partition   Configured
  Number       Size      Size        Size
-----------+---------+----------+-----------
      0       19219      19219       19219
      1       19219      19219       19219
      2       19219      19219       19219
      3       19219      19219       19219
      4       19219      19219       19219
      5       19219      19219       19219
      6       19219      19219       19219
      7       19219      19219       19219
      8       19219      19219       19219
      9       19219      19219       19219
     10       19219      19219       19219
     11       19219      19219       19219
backup tree   19219      19219       19219
-----------+---------+----------+-----------
   Total     249847     249847      249847
Total Partition size - Configured size = Available to allocate
        249847       -     249847      =           0

 FWSM# show resource acl-partition
Total number of configured partitions = 2
Partition #0
        Mode                       :exclusive
        List of Contexts        :bandn, borders
        Number of contexts   :2(RefCount:2)
        Number of rules         :0(Max:53087)
Partition #1
        Mode                       :non-exclusive
        List of Contexts        :admin, momandpopA, momandpopB, momandpopC
                                         momandpopD
        Number of contexts   :5(RefCount:5)
        Number of rules         :6(Max:53087)

 FWSM# show resource rule partition 0
             Default  Configured  Absolute
CLS Rule     Limit      Limit      Max
-----------+---------+----------+---------
 Policy NAT     283       283        833
 ACL          10633     10633      10633
 Filter         425       425        850
 Fixup         1417      1417       2834
 Est Ctl         70        70         70
 Est Data        70        70         70
 AAA            992       992       1984
 Console        283       283        566
-----------+---------+----------+---------
 Total        14173     14173
Partition Limit - Configured Limit = Available to allocate
     14173      -     14173        =          0

When failover is used, both units need to be reloaded at the same time after making partition changes. At no time should two FWSMs with a mismatched number of partitions or rule limits synchronize over failover.

https://supportforums.cisco.com/docs/DOC-13189
https://supportforums.cisco.com/docs/DOC-8786
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/qr.html#wp1622931
Posted by at 11:52 PM
Categories: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)