The Cisco ASA firewall doesn’t have any hard limits for the number of Access Control Entries (ACEs). However, this is bound by the memory of the model. Each ACE uses at least 212 bytes of RAM.
Once you reach or get close to the maximum number of ACEs, the performance of the ASA decreases by 10-15%.
Use this table below to stay within the maximum number of allowed Access List Entries.
An easy trick to find out how many ACEs an ACL has is to use this command: show access-list | include elements.
| Model | Max Recommended ACEs | Tested ACEs |
| 5505 | 25k | |
| 5510 | 80k | 80k |
| 5512-X | 100k | |
| 5515-X | 100k | |
| 5520 | 200k | 300k |
| 5525-X | 200k | |
| 5540 | 500k | 700k |
| 5545-X | 300k | |
| 5550 | 700k | 700k |
| 5555-X | 500k | |
| 5580 | 750k | 1 mil+ |
| 5585 10/20/40/60 | 500k/750k/1 mil/2 mil | 500k/750k/1 mil/2 mil |
| ASA SM | 2 mil | 2 mil |
Source: Cisco Live! 2014 presentation.
Comments