ExtremeSwitching (EOS)

  • 1.  7100-Series / ACL / Access Control List Limitations

    Posted 02-16-2017 07:42
    We try to transfer an ACL from a DFE module (with Advanced Licence) to an 7100 (about 300 entries). We can only enter 180 lines, then we're done.

    TOR(rw-cfg-ext-acl-160)->permit tcp host 192.168.60.254 any eq 2222
    Apply access-group failed: Insufficient resources to apply access-group
    TOR(rw-cfg-ext-acl-160)-><165>Feb 15 03:01:46 0.0.0.0 RtrAcl[1]
    Rules Exhausted for IpV4 Egress Acls, interfaces applied 1 Need 2 rules but have only 1, cannot apply
    --------------------------------------------------------------------------------------------------------
    The "show limits" command displays:

    Chassis limits:Application Limit In use Entry size Total Memory
    -------------------------------- --------- --------- ------------ ------------
    access-lists 256 9 125K 31.3M
    access-list-entries 1000 180 160B 156.4K
    access-list-entries-per-list 1000 - - -
    applied-access-lists 1552 8 110B 165.5K
    applied-ipv4-in 256 0 - -
    applied-ipv4-out 256 8 - -
    applied-ipv6-in 256 0 - -
    applied-ipv6-out 256 0 - -
    applied-l2-in 256 0 - -
    applied-l2-out 256 0 - -
    --------------------------------------------------------------------------------------------------------
    The "show limits resource-profile -verbose" command displays:

    Resource Profile: configured (default), operational (default)
    Resource Profile: default
    Authenticated Users = 512
    MAC Rules = 128
    IPV6 Rules = 127
    IPV4 Rules = 249
    L2 Rules = 175
    IPV6 Ingress ACL = 0
    IPV6 PBR = 0
    IPV4 Ingress ACL = 0
    IPV4 PBR = 0
    L2 Ingress ACL = 0
    IPV6 Egress ACL = 256
    IPV4 Egress ACL = 256
    L2 Egress ACL = 0
    --------------------------------------------------------------------------------------------------------
    --------------------------------------------------------------------------------------------------------
    How can we solve the problem (more accepted entries in the ACL)?


  • 2.  RE: 7100-Series / ACL / Access Control List Limitations

    Posted 02-16-2017 08:02
    Hi,

    The limits for ACLs in the 7100 series platform is smaller than in the N-Series. I believe is a hardware limitation.

    I am afraid this is FAD (Functions as Designed).

    In another client, what I did is convert part of it (if not all) to policies using Policy Manager.

    Hope it helps.


  • 3.  RE: 7100-Series / ACL / Access Control List Limitations

    Posted 02-16-2017 08:21
    but why the switch shows:

    IPV4 Rules = 249

    or

    Chassis limits:Application Limit In use Entry size Total Memory
    -------------------------------- --------- --------- ------------ ------------
    access-lists 256 9 125K 31.3M
    access-list-entries 1000 180 160B 156.4K

    and we ended at 180 ACL-entries?


  • 4.  RE: 7100-Series / ACL / Access Control List Limitations

    Posted 02-20-2017 06:33
    does somebopdy know why the switch shows:

    IPV4 Rules = 249

    or

    Chassis limits:Application Limit In use Entry size Total Memory
    -------------------------------- --------- --------- ------------ ------------
    access-lists 256 9 125K 31.3M
    access-list-entries 1000 180 160B 156.4K

    and we ended at 180 ACL-entries?


  • 5.  RE: 7100-Series / ACL / Access Control List Limitations

    Posted 02-21-2017 21:33
    I'm closing this thread for further comment because it appears to be a duplicate of this topic:
    https://community.extremenetworks.com/extreme/topics/7100-series-acl-access-control-list-limitations