Trees and contexts: A Matter of Mapping
As contexts (virtual firewalls) are created, they are assigned to an ACL memory pool in a round-robin fashion. Although this satisfies a large majority of applications, in some cases this fixed 12-tree allocation of memory space is no longer optimum. Examine the following examples:
-
Three contexts: the first context is assigned to pool 1, the second context to pool 2, and the third context to pool 3. Each context can use a maximum of 9704 ACEs. Nine-twelfths of the total memory cannot be used by these contexts.
-
One context with a very large ACL configuration, five contexts with only 20 ACEs each: each context is assigned to a pool in a round-robin fashion. With six contexts, 50 percent of the rule memory space cannot be usedeven though contexts 2 to 6 use only a total of 100 rules, context 1 cannot borrow from their pools. Context 1t has to deal with the 9704 entries its pool offers.
-
Twenty contexts: after the 12th context is created, the next context shares rule memory space with the first context. Also, if a change is made to an ACE in either context, the first tree is recompiled.
FWSM release 2.3 brings a better ACL partition management scheme to better address the three scenarios just discussed.