[c-nsp] FW: Tuning rules on a 6500 Cisco Firewall?(FWSM)

Patrick Vanderstocken patrhak at gmail.com
Wed Jul 12 09:47:42 EDT 2006


I agree, I am working on right now on a config with 3000 access-lists
generated by only 50 entries so it is possible to nest that stuff in a
quite orderly manner.
Make sure indeed that you use clear object-groups names, it will make
your life easier later :-)
I am not aware of such a tool, but most of the time there are a tons
of unused access-lists that can be located by filtering on hit counts
that are set to 0. I remember one day I managed to reduce a 3000+ acls
to 190 by removing the unnecessary entries :-)

Pat

On 7/12/06, Ge Moua <moua0100 at umn.edu> wrote:
> We use FWSM here the UMN-TC and employ extensive object-groups.  This is
> only a suggestion if you are starting from scratch.
>
>
> :-)
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
> 2218 University Ave SE | Minneapolis, MN 55414-3029
> Office: 612.626.2779 | Pager: 612.###.#### | Fax: 612.626.1818
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk
> Sent: Tuesday, July 11, 2006 5:06 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] FW: Tuning rules on a 6500 Cisco Firewall?(FWSM)
>
> This was posted on the RESNET-L listerv....is there such a tool?
>
> Frank
>
>   _____
>
> From: Resnet Forum [mailto:RESNET-L at listserv.nd.edu] On Behalf Of Pickett,
> Eldred
> Sent: Tuesday, July 11, 2006 11:40 AM
> To: RESNET-L at listserv.nd.edu
> Subject: Tuning rules on a 6500 Cisco Firewall?(FWSM)
>
>
>
> We currently have over 7000 access-list rules generated by 198 statements.
> What's a good way to figure out how to 'condense' these somehow?  Is there
> an utility that can give you a list of redundancies?  I can imagine that
> going through 7000+ rules manually line-by-line would be a pain.
>
> Thanks for any help.
>
>
>
> Eldred Pickett
>
> Network Administrator
>
> Housing Information Technology Department(HITO)
>
> University of Michigan Housing
>
> 1325 Mary Markley Hall
>
> 1503 Washington Heights
>
> Ann Arbor, MI 48109-2015
>
> Phone:(734)-615-5035
>
> Fax:(734)-615-8448
>
>
>
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list