Cisco PIX 501: How big can an access-list be?

Discussion in 'Cisco' started by Alex, Feb 26, 2005.

  1. Alex

    Alex Guest

    I guess the subject says it all... I'm running Version 6.3(2). Is there a
    maximum number of entries for an access-list? If I reach that maximum is
    there a workaround?

    Thanks,
    Alex
     
    Alex, Feb 26, 2005
    #1
    1. Advertising

  2. In article <421fdf05$0$32617$>,
    Alex <> wrote:
    :I guess the subject says it all... I'm running Version 6.3(2). Is there a
    :maximum number of entries for an access-list?

    There is no fixed maximum.

    The maximum configuration file size is 1 Mb for the PIX 501 running
    PIX 6.3 sofware. You may not be able to achieve that maximum if your
    configuration file is particularily complex. And if you get close
    to the maximum with a complex configuration, you might not have much
    memory left to hold active connections.

    :If I reach that maximum is there a workaround?

    Yes: the PIX 525 and 535 allow 2 Mb for the configuration file.

    When you "write memory" the configuration file is saved in flash,
    which is 8 Mb for the PIX 501. In the meantime, your active
    configuration has to fit into the PIX 501's 16 Mb of RAM,
    including all the state tables.

    On a PIX 501 which currently has no connections, which I have
    configured with about 8600 lines of configuration file (about 300 Kb),
    I have about 3.3 MB of free memory. On a different 501 with a slightly
    smaller configuration and some active connections and tunnels, I have
    about 2.4 MB of free memory. If an ACL entry needs about 22 bytes then
    3.3 MB is about enough for 42000 [more] ACL entries. If you were to
    construct an object with 400 'network-object host' entries, and were to
    use something like
    access-list ACL permit IP object-group hosts400 object-group hosts400
    then you would use up the memory... but 400 such 'host' lines would
    only take ~8 Kb of configuration file. So you can see how the
    complexity of your file can be of great importance.

    The average line length in my configuration files is 34 bytes.
    1 Mb could store over 29000 such lines. If your configuration is
    approaching that, I suspect you should be moving into a faster PIX.
    --
    Those were borogoves and the momerathsoutgrabe completely mimsy.
     
    Walter Roberson, Feb 26, 2005
    #2
    1. Advertising

  3. Alex

    Alex Guest

    Walter,

    Thanks - very comprehensive response!

    I think I'm fine for now, my config is still under 2000 lines - but I just
    wanted to be prepared, in case I needed to upgrade to a bigger PIX!

    Cheers,
    Alex


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cvoq7i$bb4$...
    > In article <421fdf05$0$32617$>,
    > Alex <> wrote:
    > :I guess the subject says it all... I'm running Version 6.3(2). Is there a
    > :maximum number of entries for an access-list?
    >
    > There is no fixed maximum.
    >
    > The maximum configuration file size is 1 Mb for the PIX 501 running
    > PIX 6.3 sofware. You may not be able to achieve that maximum if your
    > configuration file is particularily complex. And if you get close
    > to the maximum with a complex configuration, you might not have much
    > memory left to hold active connections.
    >
    > :If I reach that maximum is there a workaround?
    >
    > Yes: the PIX 525 and 535 allow 2 Mb for the configuration file.
    >
    > When you "write memory" the configuration file is saved in flash,
    > which is 8 Mb for the PIX 501. In the meantime, your active
    > configuration has to fit into the PIX 501's 16 Mb of RAM,
    > including all the state tables.
    >
    > On a PIX 501 which currently has no connections, which I have
    > configured with about 8600 lines of configuration file (about 300 Kb),
    > I have about 3.3 MB of free memory. On a different 501 with a slightly
    > smaller configuration and some active connections and tunnels, I have
    > about 2.4 MB of free memory. If an ACL entry needs about 22 bytes then
    > 3.3 MB is about enough for 42000 [more] ACL entries. If you were to
    > construct an object with 400 'network-object host' entries, and were to
    > use something like
    > access-list ACL permit IP object-group hosts400 object-group hosts400
    > then you would use up the memory... but 400 such 'host' lines would
    > only take ~8 Kb of configuration file. So you can see how the
    > complexity of your file can be of great importance.
    >
    > The average line length in my configuration files is 34 bytes.
    > 1 Mb could store over 29000 such lines. If your configuration is
    > approaching that, I suspect you should be moving into a faster PIX.
    > --
    > Those were borogoves and the momerathsoutgrabe completely mimsy.
     
    Alex, Feb 26, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    2
    Views:
    4,058
    J Bard
    Jan 10, 2004
  2. PS2 gamer
    Replies:
    6
    Views:
    7,130
    Hansang Bae
    Jun 9, 2004
  3. Andre
    Replies:
    7
    Views:
    791
    Andre
    Feb 20, 2005
  4. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    686
    Walter Roberson
    May 20, 2006
  5. mbran
    Replies:
    0
    Views:
    754
    mbran
    Jan 14, 2008
Loading...

Share This Page