Note
In 2.2 Single mode, there are 2 extra partitions reserved for downloadable ACLs (one active and one backup).
How Memory Is Allocated: Release 1.1(x) or 2.2(1) in Single Mode
With release 1.1(x) or when running 2.2(1) in Single mode, the 20MB memory space is carved up evenly into two 10MB chunks. When the FWSM is running in single mode, a maximum theoretical limit of 63078 ACEs can be configured out of a total of 82819 rules (see Example 4-34 for the breakdowns of this number).
Example 4-34. Breakdowns in the Number of Nodes in NP3 Processors for Memory
Note that connection entries or NAT translations do not borrow from this memory space. When a modification is made to an ACE (new entry, deletion, modification), the entire tree is recompiled. This is the reason for the sustained high CPU utilization when a substantial amount of ACE is present. The compilation task runs on the generic CPU, but the final result is pushed down to the hardware. Note that the mapping between ACE and node utilization is not necessarily one-to-one. This means that some ACEs such as permit udp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 can expand into multiple nodes in a tree, resulting in fewer than 63078 total ACEsyour mileage may vary. Optimizations for certain types of ACEs were brought into release 2.2(1.11), significantly reducing the expansion of ACEs using wildcards such as permit udp any any.