5-13
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 5 Managing Security Contexts
Configuring Resource Management
The FWSM lets you assign unlimited access to one or more resources in a class, instead of a percentage
or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system
has available. For example, Context A, B, and C are in the Silver Class, which limits each class member
to 1 percent of the system inspections per second, for a total of 3 percent; but the three contexts are
currently only using 2 percent combined. Gold Class has unlimited access to inspections. The contexts
in Gold Class can use more than the 97 percent of “unassigned” inspections; they can also use the
1 percent of inspections not currently in use by Context A, B, and C, even if that means that Context A,
B, and C are unable to reach their 3 percent combined limit. (See Figure 5-9.) Setting unlimited access
is similar to oversubscribing the FWSM, except that you have less control over how much you
oversubscribe the system.
Figure 5-9 Unlimited Resources
Default Class
All contexts belong to the default class if they are not assigned to another class; you do not have to
actively assign a context to the default class.
If a context belongs to a class other than the default class, those class settings always override the default
class settings. However, if the other class has any settings that are not defined, then the member context
uses the default class for those limits. For example, if you create a class with a 2 percent limit for all
concurrent connections, but no other limits, then all other limits are inherited from the default class.
Conversely, if you create a class with a 2 percent limit for all resources, the class uses no settings from
the default class.
By default, the default class provides unlimited access to resources for all contexts, except for the
following limits, which are by default set to the maximum allowed per context:
• Telnet sessions—5 sessions.
• SSH sessions—5 sessions.
• IPSec sessions—5 sessions.
• MAC addresses—65,535 entries.
Total Number of Fixups per Second = 10,000
Maximum connections
allowed.
Connections denied
because system limit
was reached.
Connections in use.
ABC 123
1%
(100)
2%
(100)
3%
(100)
4%
(100)
5%
(100)
Contexts Silver Class Contexts Gold Class
50% 43%
104896