Access Control Entries (ACEs)

Think about access control entries in terms of what you can see and what you can't see.

Here's what you can see. In terms of CDO's user interface, a rule you add to the network policy is an access control entry on the ASA. The rule defines what network traffic is allowed between a source and destination address or one group of addresses and another group of addresses.

Here's what you can't see. The ASA expands the network rule you created to account for every possible combination of source IP address and destination IP address implied by the network rule. For example, if there is a rule where three IP addresses in one network object are denied from accessing three IP addresses in another object, then there are 9 possible access control entries that the ASA stores in memory.

There is no hard-coded limit to the number of ACEs that an ASA can process but ASA performance will degrade when the number of ACEs gets too large. See Table 4. "Maximum Access Control Entries for Cisco ASA Models" in this Adaptive Security Appliance FAQ for the maximum number of ACE entries expected for a particular ASA device.

CDO maintains the total number of ACEs, derived from all of your network policies, and informs you when that ACE count exceeds the maximum limit of ACEs expected on your appliance. This is the information CDO provides:

Reducing the Number of ACEs on your Device

Here are some approaches to reducing the number of ACEs on a device that has exceeded the maximum number of expected ACEs: