The FWSM has a pool of resources (memory) in which to allocate ACL memory to partitions. In multicontext mode, there are 12 memory partitions and two trees used for security policy rules exclusively: Uniform Resource Locator (URL) filtering statements, configured inspections, established rules, authentication, authorization, and accounting (AAA) authentication policies, remote access to the FWSM (SSH, Telnet, HTTP), Internet Control Message Protocol (ICMP) to the FWSM (configured using the ICMP CLI), policy
Understanding Resource Management 81
Network Address Translation (NAT) configuration, and access list entries. Each of the 12 partitions receives an equal distribution of those resources. There are primary (active) and backup trees that maintain the information in the partitions. The backup tree is a mirror of the active tree. It is switched to active mode after the compilation process is running. This process can run in the background without interrupting traffic currently switched by the FWSM. When the compilation has finished, trees are switched back again.
Starting with release 2.3, it is possible to modify the ACL memory space carving scheme. Instead of the default 12-pool model + 2 trees for downloadable ACLs, the administrator can choose to divide the space as business needs require.
A detail item list is located in Table 2-4 of Chapter 2, “Overview of the Firewall Services Module.” Looking at the output of the show resource acl-partition from the system execution space, as demonstrated in Example 5-1, you can see that 14,173 rules are supported for each partition of the 12 partitions and that the three contexts that have been created each use one-twelfth of the total pool.
Example 5-1 Default Access Control List (ACL) Resource Allocation
FWSM# sshsshhhoowoow ww rrerreeessossooouuuurrcrrcccee ee aacaacccllll--p--pppaaraartrrtttiiiittittioiiooonn nn
Total number of configured partitions = 12 Partition #0
Mode : non-exclusive List of Contexts : ADMIN
Number of contexts : 1(RefCount:1) Number of rules : 17(Max:14173) Partition #1
Mode : non-exclusive List of Contexts : CustA
Number of contexts : 1(RefCount:1) Number of rules : 17(Max:14173) Partition #2
Mode : non-exclusive List of Contexts : CustB
Number of contexts : 1(RefCount:1) Number of rules : 0(Max:14173) Partition #3
Mode : non-exclusive List of Contexts : none
Number of contexts : 0(RefCount:0) Number of rules : 0(Max:14173) Partition #4
Mode : non-exclusive List of Contexts : none
Number of contexts : 0(RefCount:0) Number of rules : 0(Max:14173) Partition #5
Mode : non-exclusive List of Contexts : none
Number of contexts : 0(RefCount:0) Number of rules : 0(Max:14173) Partition #6
Partitions 3 through 11 are just sitting there waiting for a context to be added. Yes, it is a waste of valuable resources if you do not plan to add more contexts. If there is a possibility of running out of resources, the partition space can be reallocated using the resource acl- partition command and specifying the number of partitions. This command requires a reboot of the FWSM.
After a reboot, the resource allocation has changed significantly: It went from 14,173 to 46,077, as Example 5-2 shows.
Mode : non-exclusive List of Contexts : none
Number of contexts : 0(RefCount:0) Number of rules : 0(Max:14173) Partition #7
Mode : non-exclusive List of Contexts : none
Number of contexts : 0(RefCount:0) Number of rules : 0(Max:14173) Partition #8
Mode : non-exclusive List of Contexts : none
Number of contexts : 0(RefCount:0) Number of rules : 0(Max:14173) Partition #9
Mode : non-exclusive List of Contexts : none
Number of contexts : 0(RefCount:0) Number of rules : 0(Max:14173) Partition #10
Mode : non-exclusive List of Contexts : none
Number of contexts : 0(RefCount:0) Number of rules : 0(Max:14173) Partition #11
Mode : non-exclusive List of Contexts : none
Number of contexts : 0(RefCount:0) Number of rules : 0(Max:14173)
Example 5-2 Modified Access Control List (ACL) Resource Allocation
FWSM# sshsshhhoowoow ww rrerreeessossooouuuurrcrrcccee ee aacaacccllll--p--pppaaraartrrtttiiiittittioiiooonn nn Total number of configured partitions = 3 Partition #0
Mode : non-exclusive List of Contexts : ADMIN
Number of contexts : 1(RefCount:1) Number of rules : 18(Max:46077) Partition #1
Mode : non-exclusive List of Contexts : CustA
Understanding Resource Management 83
Notice that the partition 0,1, and 2 have ADMIN, CustA, and CustB assigned (respectively). You can specify which context is associated with a partition using the allocate-acl- partition command in the system execution space under a context.
context CustB
aaaalllllllloocoocaccaaattttee-ee-a--aaacclcclll----ppappaaarrtrrtittiiittttiiiioonoonnn 2
What happens when another context is added? Glad you asked! It will share the resources of the next partition in the list. In this case it would be partition 0. Now, two contexts are sharing a partition. Because resources are allocated on a first come, first served basis, if one of the contexts is hogging resources, the other one is out of luck. Use caution when modifying these parameters.
Partition #0
Mode : non-exclusive List of Contexts : ADMIN, CustC Number of contexts : 2(RefCount:2) Number of rules : 19(Max:46077)
Now that the allocation has changed, you may be wondering how those resources are actually used. This can be viewed using the show resource rule command, as shown in Example 5-3.
Number of contexts : 1(RefCount:1) Number of rules : 18(Max:46077) Partition #2
Mode : non-exclusive List of Contexts : CustB
Number of contexts : 1(RefCount:1) Number of rules : 0(Max:46077)
Example 5-3 Resource Rule Allocation
FWSM# sshsshhhoowoow ww rrerreeessossouoouuurrrrccccee ee rrurruuullllee ee
Default Configured Absolute CLS Rule Limit Limit Max ---+---+---+--- Policy NAT 921 921 3333 ACL 34560 34560 34560 Filter 1382 1382 2764 Fixup 4608 4608 9216 Est Ctl 230 230 230 Est Data 230 230 230 AAA 3225 3225 6450 Console 921 921 1842 ---+---+---+--- Total 46077 46077
Partition Limit - Configured Limit = Available to allocate 46077 - 46077 = 0
Now you can see exactly how memory is allocated for each resource. Your next question might be, “Can I reallocate those resources as well?” The answer is yes.
To determine where the resources are being allocated, use the show np 3 acl count command and specify the partition number, as shown in Example 5-4.
If you need to increase a particular value for a feature, use the resource rule command in the system execution space. After the option parameter, you can use a numeric value or the keywords current, default, or max. The following options are available:
•
NAT:The number of NAT entries•
ACL:The number of ACL entries•
Filter:The number of filter rules•
Fixup:The legacy name for inspection•
Established (EST):The number of established commands•
AAA:The number of AAA rules•
Console:The number of management access and ICMP rules Following are some specifics when you use this command:•
You cannot exceed the “absolute max” for any value from the show resource rule command.•
When resources are reallocated, the total cannot exceed the “total default limit” from the “show resource rule” command. For example, if you need to add 1000 ACL rules, you will need to decrease the total of the other options by 1000.•
A change will affect all partitions! Make sure that a change in parameters will not adversely impact the FWSM.•
The changes take effect immediately.Example 5-4 Resource Rule Allocation
FWSM# sshsshhhoowoow ww nnpnnppp 3333 aacaacccll ll ccoccouoouuunntnnttt 1111
--- CLS Rule Current Counts --- CLS Filter Rule Count : 0
CLS Fixup Rule Count : 3767 CLS Est Ctl Rule Count : 4 CLS AAA Rule Count : 24 CLS Est Data Rule Count : 0 CLS Console Rule Count : 18 CLS Policy NAT Rule Count : 0 CLS ACL Rule Count : 22400 CLS ACL Uncommitted Add : 0 CLS ACL Uncommitted Del : 0
Summary 85
Software release 3.1 significantly increases memory utilization—up to a 31 percent improvement. Table 5-1 provides a comparison between 2.3(4) and 3.1(2):
Summary
Virtualization is one of the fundamental elements of the FWSM. It provides the ability to logically separate firewall instances into contexts, consequently providing separation of policies and leveraging the investment in hardware. Be aware that a finite number of resources can be allocated to contexts; this may require some thoughtful consideration before implementation.
Table 5-1 Memory Utilization: Software Release 2.3(4) and 3.1(2) Comparison
Release 2.3(4) Release 3.1(2)
FWSM#show np 3 acl stats ---
ACL Tree Statistics --- Rule count : 0 Bit nodes (PSCBs): 0 Leaf nodes : 0
Total nodes : 0 (max 143,360) Leaf chains : 0
Total stored rules: 0 Max rules in leaf : 0 Node depth : 0
FWSM#show np3 acl stats ---
ACL Tree Statistics --- Rule count : 0 Bit nodes (PSCBs): 0 Leaf nodes : 0
Total nodes : 0 (max 184,320) Leaf chains : 0
Total stored rules: 0 Max rules in leaf : 0 Node depth : 0