Cisco 7609-S Configuration Guide - Page 85
Configuring Resource Management
View all Cisco 7609-S manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 85 highlights
Chapter 4 Configuring Security Contexts Configuring Resource Management hostname(config-partition)# rule nat {max_policy_nat_rules | current | default | max} acl {max_ace_rules | current | default | max} filter {max_filter_rules | current | default | max} fixup {max_inspect_rules | current | default | max} est {max_established_rules | current | default | max} aaa {max_aaa_rules | current | default | max} console {max_console_rules | current | default | max} You must enter all arguments in this command. This command takes effect immediately. The nat max_nat_rules arguments set the maximum number of policy NAT ACEs, between 0 and 10000. The acl max_nat_rules arguments set the maximum number of ACEs, between 0 and the system limit. The system limit depends on how many memory partitions you configured. See Step 1 to use the show resource rule command. The filter max_nat_rules arguments set the maximum number of filter rules, between 0 and 6000. The fixup max_nat_rules arguments set the maximum number of inspect rules, between 0 and 10000. The est max_nat_rules arguments set the maximum number of established commands, between 0 and 716. The established command creates two types of rules, control and data. Both of these types are shown in the show np 3 acl count and show resource rules display, but you set both rules using the est keyword, which correlates with the number of established commands. Be sure to double the value you enter here when comparing the total number of configured rules with the total number of rules shown in the show commands. The aaa max_nat_rules arguments set the maximum number of AAA rules, between 0 and 10000. The console max_nat_rules arguments set the maximum number of ICMP, Telnet, SSH, and HTTP rules, between 0 and 4000. The current keyword keeps the current value set. The default keyword sets the maximum rules to the default. The max keyword sets the rules to the maximum allowed for the feature. Be sure to set other features lower to accommodate this value. For example for partition 0, to reallocate 999 rules from the default 14,801 ACEs to inspections (default 9001), enter the following command: hostname(config)# resource partition 0 hostname(config-partition)# rule nat default acl 13802 filter default fixup 10000 est default aaa default console default Configuring Resource Management By default, all security contexts have unlimited access to the resources of the FWSM, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. Note The FWSM does not limit the bandwidth per context; however, the switch containing the FWSM can limit bandwidth per VLAN. See the switch documentation for more information. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-21