«

I guess the subject says it all... I'm running Version 6.3(2). Is there a
maximum number of entries for an access-list? If I reach that maximum is
there a workaround?

Thanks,
Alex

In article <421fdf05$0$32617$>,
Alex <> wrote:
:I guess the subject says it all... I'm running Version 6.3(2). Is there a
:maximum number of entries for an access-list?

There is no fixed maximum.

The maximum configuration file size is 1 Mb for the PIX 501 running
PIX 6.3 sofware. You may not be able to achieve that maximum if your
configuration file is particularily complex. And if you get close
to the maximum with a complex configuration, you might not have much
memory left to hold active connections.

:If I reach that maximum is there a workaround?

Yes: the PIX 525 and 535 allow 2 Mb for the configuration file.

When you "write memory" the configuration file is saved in flash,
which is 8 Mb for the PIX 501. In the meantime, your active
configuration has to fit into the PIX 501's 16 Mb of RAM,
including all the state tables.

On a PIX 501 which currently has no connections, which I have
configured with about 8600 lines of configuration file (about 300 Kb),
I have about 3.3 MB of free memory. On a different 501 with a slightly
smaller configuration and some active connections and tunnels, I have
about 2.4 MB of free memory. If an ACL entry needs about 22 bytes then
3.3 MB is about enough for 42000 [more] ACL entries. If you were to
construct an object with 400 'network-object host' entries, and were to
use something like
access-list ACL permit IP object-group hosts400 object-group hosts400
then you would use up the memory... but 400 such 'host' lines would
only take ~8 Kb of configuration file. So you can see how the
complexity of your file can be of great importance.

The average line length in my configuration files is 34 bytes.
1 Mb could store over 29000 such lines. If your configuration is
approaching that, I suspect you should be moving into a faster PIX.
--
Those were borogoves and the momerathsoutgrabe completely mimsy.

Walter,

Thanks - very comprehensive response!

I think I'm fine for now, my config is still under 2000 lines - but I just
wanted to be prepared, in case I needed to upgrade to a bigger PIX!

Cheers,
Alex


"Walter Roberson" <> wrote in message
news:cvoq7i$bb4$...
> In article <421fdf05$0$32617$>,
> Alex <> wrote:
> :I guess the subject says it all... I'm running Version 6.3(2). Is there a
> :maximum number of entries for an access-list?
>
> There is no fixed maximum.
>
> The maximum configuration file size is 1 Mb for the PIX 501 running
> PIX 6.3 sofware. You may not be able to achieve that maximum if your
> configuration file is particularily complex. And if you get close
> to the maximum with a complex configuration, you might not have much
> memory left to hold active connections.
>
> :If I reach that maximum is there a workaround?
>
> Yes: the PIX 525 and 535 allow 2 Mb for the configuration file.
>
> When you "write memory" the configuration file is saved in flash,
> which is 8 Mb for the PIX 501. In the meantime, your active
> configuration has to fit into the PIX 501's 16 Mb of RAM,
> including all the state tables.
>
> On a PIX 501 which currently has no connections, which I have
> configured with about 8600 lines of configuration file (about 300 Kb),
> I have about 3.3 MB of free memory. On a different 501 with a slightly
> smaller configuration and some active connections and tunnels, I have
> about 2.4 MB of free memory. If an ACL entry needs about 22 bytes then
> 3.3 MB is about enough for 42000 [more] ACL entries. If you were to
> construct an object with 400 'network-object host' entries, and were to
> use something like
> access-list ACL permit IP object-group hosts400 object-group hosts400
> then you would use up the memory... but 400 such 'host' lines would
> only take ~8 Kb of configuration file. So you can see how the
> complexity of your file can be of great importance.
>
> The average line length in my configuration files is 34 bytes.
> 1 Mb could store over 29000 such lines. If your configuration is
> approaching that, I suspect you should be moving into a faster PIX.
> --
> Those were borogoves and the momerathsoutgrabe completely mimsy.