Cisco 7604 Configuration Guide - Page 79
Guidelines, Detailed Steps, Caution, Step 1
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 79 highlights
Chapter 4 Configuring Security Contexts Managing Memory for Rules Guidelines Caution Failure to follow these guidelines might result in dropped access list configuration as well as other anomalies, including ACL tree corruption. • The target partition and rule allocation settings must be carefully calculated, planned, and preferably tested in a non-production environment prior to making the change to ensure that all existing contexts and rules can be accommodated. • When failover is used, both FWSMs need to be reloaded at the same time after making partition changes. Reloading both FWSMs causes an outage with no possibility for a zero-downtime reload. At no time should two FWSMs with a mismatched number of partitions or rule limits synchronize over failover. • Change the number of partitions before you set the partition sizes; changing the number of partitions affects the overall number of rules per partition. If you increase the number of partitions, for example, then the number of rules available per partition will be smaller. Therefore, your partition size configuration might be invalid, and you might need to reconfigure all your partition sizes. Changing the number of partitions requires you to reload the FWSM before you change the partition sizes; then changing the partition sizes requires a second reload. • Allocate contexts to specific partitions before you set the partition sizes (see the "Configuring a Security Context" section on page 4-27). If you plan all your partition sizes based on the contexts currently assigned to a partition, but you did not specifically allocate the contexts, then you run the risk of context assignments shifting after a reload (for example if you add or subtract contexts). • Reduce the size of partition(s) before increasing the size of other partition(s). The FWSM rejects any increases in size if there is not free space available. • If the existing number of ACEs does not fit into the new partition size, then the resizing is rejected. • In addition to the memory partitions to which the FWSM assigns contexts, the FWSM uses a backup tree partition to process changes to rules so traffic can continue to use the old configuration until the new configuration is ready. The backup tree must be as large as the largest partition. Therefore, some memory is automatically assigned to the backup tree in tandem with the largest partition; so be sure to include the backup tree in your calculations. • If you reduce the size of a partition, the FWSM checks the rule allocation (see the "Reallocating Rules Between Features for a Specific Memory Partition" section on page 4-19). If you manually allocated rules between features so that the total number of rules allocated is now greater than those available, then the FWSM rejects the resizing of the partition. Similarly, if the absolute maximum number of rules for a feature is now exceeded, then the FWSM rejects the resizing of the partition. Detailed Steps To set the size of the memory partitions, perform the following steps: Step 1 To view the current partition sizes, enter the following command: hostname(config)# show resource partition For example, the following output shows that each of 12 partitions have the default 19,219 rules (this is an example only, and might differ from the actual number of rules for your system). The backup tree always matches the largest partition size, so it also has 19,219 rules, for a total of 249,847 rules. hostname(config)# show resource partition OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-15