I won't speak to the wrong solution for the wrong market but as far as large ACLs, I would agree with Tony. I've seen hundreds of different ASA configurations for a variety of customers in a variety of markets and generally once you start reaching the limits of the box you start losing sight of what your original security policies are. In almost every (not all) cases that I've seen resource exhaustion due to ACLs it's almost always gone hand in hand with security policies that aren't followed well or clear cut (i.e., overlapping security rules, lack of rule aggregation, not sure why rule X is in there, things of this nature). -Pete On Sat, Nov 6, 2010 at 9:54 AM, Tony Varriale <tvarriale@comcast.net> wrote:
----- Original Message ----- From: "gordon b slater" <gordslater@ieee.org> To: "Tony Varriale" <tvarriale@comcast.net> Cc: <nanog@nanog.org> Sent: Saturday, November 06, 2010 4:38 AM Subject: Re: BGP support on ASA5585-X
On Fri, 2010-11-05 at 21:50 -0500, Tony Varriale wrote:
<somebody> said:
They could make it out of the box but this is why Dylan made his
statement.
His statement is far fetched at best. Unless of course he's speaking of 100 million line ACLs.
Can I just ask out of technical curiosity:
Well, let me preface this thread with: the previous poster was/is from a hosting company. ASAs aren't ISP/Hosting level boxes. They are SMB to enterprise boxes.
It's like saying yeah that 2501 doesn't meet our customer agg requirements at our ISP. Of course it doesn't. Wrong product wrong solution.
With that said, from what I see in the field 10s of thousands. I've seen as high as 80k.
But, once you get into that many ACLs, IMO there's either an ACL or security/network design problem.
tv