On Fri, 2010-11-05 at 21:50 -0500, Tony Varriale wrote:

><somebody> said:
> >They could make it out of the box but this is why Dylan made his statement.
> His statement is far fetched at best.  Unless of course he's speaking of 100 
> million line ACLs.

Can I just ask out of technical curiosity:

Q: What is considered a "large" number of ACL lines for these recent ASA
boxes? I realise "it depends" so I'm looking for a loose  ball-park
response. (or preferably a rule-of-thumb equation?)

background to the question:
I have several special purpose BSD boxes that have several hundred lines
of PF filtering rules (the equivalent of a Cisco ACL line). One has
nearly 2300. 
These are consolidated with macros (PF anchors/tables) and dynamic
rulesets, so are already highly optimised. The rules are in addition to
the shaping and anti-spoofing, these are in a critical location in the
(very sensitive) very complex network. 
I'm just wondering if this is "a lot" in the world of recent ASAs,
having had no relevant experience with them (at this level)


soul for sale - apply within

Reply via email to