Case Study 2: Understanding Access-List Memory Utilization
As stated previously, the Network Processors for the FWSM are used as hardware assistants to the generic CPU, relieving it from heavy packet processing such as access-list verification, network address translation, TCP sequence number randomization, and so on. One of these three network processorsnamely NP3is responsible for permitting or rejecting initial packets depending on the rules specified by the security policy. In other words, NP3 enforces access-list decisions in hardware. To do so, access-lists encoded via the command line interface (CLI) or graphical user interfaces (GUI) are compiled into a form that the hardware can recognize. NP3 comes equipped with 20MB of on-board memory (non-expandable) reserved for rules storage. Those 20MB are reserved for security policy rules exclusively:
-
URL filtering statements
-
Configured fixups
-
Established rules
-
AAA authentication policies
-
Remote access to the FWSM (SSH, Telnet, HTTP)
-
ICMP to the FWSM (as configured using the ICMP CLI)
-
Policy NAT configuration
-
Access-list entries
It is worth noting that translation entries or connection entries do not borrow from that memory space. The goal of this application note is to provide further details regarding the way access-lists are stored and processed on the FWSM.