ExtremeSwitching (EOS)

Expand all | Collapse all

7100-Series / ACL / Access Control List / Limitations

Ryan Mathews

Ryan Mathews02-02-2017 10:13

networks

networks02-03-2017 06:52

  • 1.  7100-Series / ACL / Access Control List / Limitations

    Posted 01-31-2017 16:06
    We want to transfer a large ACL from a DFE module (with Advanced Licence) to an 7100 (about 300 entries). We can only enter 171 lines, then we're done.

    The "show limits" command displays:

    Chassis limits:
    Application Limit In use Entry size Total Memory
    -------------------------------- --------- --------- ------------ ------------
    access-lists 256 9 125K 31.3M
    access-list-entries 1000 171 160B 156.4K
    access-list-entries-per-list 1000 - - -
    applied-access-lists 1552 0 110B 165.5K
    applied-ipv4-in 256 0 - -
    applied-ipv4-out 256 0 - -
    applied-ipv6-in 256 0 - -
    applied-ipv6-out 256 0 - -
    applied-l2-in 256 0 - -
    applied-l2-out 256 0 - -

    The "show limits resource-profile -verbose" command displays:

    Resource Profile: router1
    Authenticated Users = 512
    MAC Rules = 0
    IPV6 Rules = 0
    IPV4 Rules = 249
    L2 Rules = 175
    IPV6 Ingress ACL = 128
    IPV6 PBR = 0
    IPV4 Ingress ACL = 128
    IPV4 PBR = 128
    L2 Ingress ACL = 0
    IPV6 Egress ACL = 256
    IPV4 Egress ACL = 256
    L2 Egress ACL = 0

    How can we solve the problem (more accepted entries in the ACL)?


  • 2.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 01-31-2017 16:27
    I would suggest consolidating the rule base as much as possible. There are limited resources allowed for acl's even with the router1 profile selected. The 7100 was intended as a top of rack switch.


  • 3.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 01-31-2017 16:42
    But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?

    Helps to use an profile other than router1?


  • 4.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 01-31-2017 16:53
    there is only the default and router1 profiles.



  • 5.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 01-31-2017 17:15
    But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?


  • 6.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 01-31-2017 17:15
    Sorry for the issue, you might be encountering a limmitation other than the number of acl. I have one below as an example and am not saying it is your issue but it is an example.
    https://gtacknowledge.extremenetworks.com/articles/Solution/7100-Series-Error-Apply-access-group-fai...

    Do you get an error message or see an error inthe show logging buffer about the ACL?



  • 7.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 01-31-2017 17:15
    these is the error message:

    TOR(rw-config-intf-vlan.0.1001)->ip access-group 101 out

    Apply access-group failed: Insufficient resources to apply access-group



  • 8.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 01-31-2017 17:15
    That error is in the article I posted and caused by using an ACL with UDP port ranges.


  • 9.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-01-2017 16:44
    Is there any chance to consolidating these rules:

    ip access-list extended 101 permit ip host 192.168.1.248 any
    permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit ip 192.168.1.240 0.0.0.7 host 192.168.200.201
    permit ip 192.168.60.0 0.0.3.255 192.168.60.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.2.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.2.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.3.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.3.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.4.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.4.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.5.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.5.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.10.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.10.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.10.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.11.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.11.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 192.168.11.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.11.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.12.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.12.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.13.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.13.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.50.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.50.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.50.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 10051
    permit tcp 192.168.200.0 0.0.0.255 eq 10050 192.168.50.0 0.0.0.255
    permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.202 eq 1521
    permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.208 eq 1521
    permit tcp 192.168.88.0 0.0.0.255 host 192.168.50.208 eq 1521
    permit ip 192.168.86.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 9100
    permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 80
    permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 443
    permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 192.168.11.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 192.168.13.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.5.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 164.26.201.248 0.0.0.7 192.168.2.0 0.0.0.255
    permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 22
    permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.10.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.11.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.11.0 0.0.0.255 192.168.200.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.12.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.12.0 0.0.0.255 192.168.200.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.3.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.11.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.13.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.13.0 0.0.0.255 192.168.200.0 0.0.0.255
    permit ip 192.168.66.0 0.0.0.255 192.168.65.0 0.0.0.255
    permit tcp 192.168.84.0 0.0.0.255 host 192.168.50.20 eq 3389
    permit tcp 192.168.85.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
    permit tcp 192.168.85.0 0.0.0.255 192.168.92.0 0.0.0.255 eq 3389
    permit tcp 192.168.85.0 0.0.0.255 192.168.93.0 0.0.0.255 eq 3389
    permit tcp 192.168.85.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit tcp 192.168.88.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
    permit tcp 192.168.88.0 0.0.0.255 192.168.92.0 0.0.0.255 eq 3389
    permit tcp 192.168.88.0 0.0.0.255 192.168.93.0 0.0.0.255 eq 3389
    permit tcp 192.168.88.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.90.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.90.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit tcp 192.168.91.0 0.0.0.255 eq 3389 any
    permit tcp 192.168.92.0 0.0.0.255 eq 3389 any
    permit tcp 192.168.97.0 0.0.0.255 eq 3389 any
    permit tcp any eq 80 host 192.168.2.11
    permit tcp any eq 443 host 192.168.2.11
    permit tcp any eq 80 host 192.168.2.19
    permit tcp any eq 3101 host 192.168.50.201
    permit tcp any eq 443 host 192.168.50.201
    permit tcp any eq 3101 host 192.168.50.229
    permit tcp any eq 443 host 192.168.50.229
    permit tcp any eq 443 host 192.168.50.238
    permit tcp any eq 2222 host 192.168.60.254
    permit ip host 192.168.200.201 192.168.1.240 0.0.0.7
    permit ip host 192.168.200.201 host 192.168.1.249
    permit ip host 192.168.200.201 host 192.168.1.252
    permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 22
    permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 80
    permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 3389
    permit tcp host 192.168.200.201 192.168.97.0 0.0.0.255 eq 3389
    permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
    permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
    permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
    permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
    permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
    permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
    permit ip host 192.168.14.13 host 192.168.50.215
    permit ip 10.22.96.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 5714
    permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 1158
    permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 5502
    permit ip 10.12.7.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit ip 10.12.6.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
    permit udp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
    deny ip any any


  • 10.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-02-2017 10:13
    Hi Andre,

    you can combine some of the lines by using a different wildcard mask. An example would be:

    The two lines
    permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 [/code]can be combined into
    permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.1.255 [/code]Br,
    Erik


  • 11.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-02-2017 10:13
    Great to see you back on the Hub Erik!


  • 12.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-02-2017 18:22
    You may want to double check and/or test this, but here's a shortened ACL (116 lines):

    permit ip host 192.168.1.248 any permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.1.255
    permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.1.255
    permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.1.255
    permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.1.255
    permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit ip 192.168.1.240 0.0.0.7 host 192.168.200.201
    permit ip 192.168.60.0 0.0.3.255 192.168.60.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.2.0 0.0.1.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.2.0 0.0.1.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.4.0 0.0.1.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.4.0 0.0.1.255
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.10.0 0.0.1.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.10.0 0.0.1.255
    permit tcp 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.10.0 0.0.1.255
    permit tcp 192.168.200.0 0.0.0.255 192.168.11.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.12.0 0.0.1.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.12.0 0.0.1.255
    permit tcp 192.168.200.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.50.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.50.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.50.0 0.0.0.255
    permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 25
    permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 10051
    permit tcp 192.168.200.0 0.0.0.255 eq 10050 192.168.50.0 0.0.0.255
    permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.202 eq 1521
    permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.208 eq 1521
    permit tcp 192.168.88.0 0.0.0.255 host 192.168.50.208 eq 1521
    permit ip 192.168.86.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 9100
    permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 80
    permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 443
    permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 192.168.11.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 192.168.13.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.5.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 164.26.201.248 0.0.0.7 192.168.2.0 0.0.0.255
    permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 22
    permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.1.255
    permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.1.255
    permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.10.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.1.255
    permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.1.255
    permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
    permit ip 192.168.11.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.11.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.11.0 0.0.0.255 192.168.200.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
    permit ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.12.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.12.0 0.0.0.255 192.168.200.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.1.255
    permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.1.255
    permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.1.255
    permit ip 192.168.13.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.13.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.13.0 0.0.0.255 192.168.200.0 0.0.0.255
    permit ip 192.168.66.0 0.0.0.255 192.168.65.0 0.0.0.255
    permit tcp 192.168.84.0 0.0.0.255 host 192.168.50.20 eq 3389
    permit tcp 192.168.85.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
    permit tcp 192.168.85.0 0.0.0.255 192.168.92.0 0.0.1.255 eq 3389
    permit tcp 192.168.85.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit tcp 192.168.88.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
    permit tcp 192.168.88.0 0.0.0.255 192.168.92.0 0.0.1.255 eq 3389
    permit tcp 192.168.88.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit ip 192.168.90.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.90.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
    permit tcp 192.168.91.0 0.0.0.255 eq 3389 any
    permit tcp 192.168.92.0 0.0.0.255 eq 3389 any
    permit tcp 192.168.97.0 0.0.0.255 eq 3389 any
    permit tcp any eq 80 host 192.168.2.11
    permit tcp any eq 443 host 192.168.2.11
    permit tcp any eq 80 host 192.168.2.19
    permit tcp any eq 3101 host 192.168.50.201
    permit tcp any eq 443 host 192.168.50.201
    permit tcp any eq 3101 host 192.168.50.229
    permit tcp any eq 443 host 192.168.50.229
    permit tcp any eq 443 host 192.168.50.238
    permit tcp any eq 2222 host 192.168.60.254
    permit ip host 192.168.200.201 192.168.1.240 0.0.0.7
    permit ip host 192.168.200.201 host 192.168.1.249
    permit ip host 192.168.200.201 host 192.168.1.252
    permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 22
    permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 80
    permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 3389
    permit tcp host 192.168.200.201 192.168.97.0 0.0.0.255 eq 3389
    permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
    permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
    permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
    permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
    permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
    permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
    permit ip host 192.168.14.13 host 192.168.50.215
    permit ip 10.22.96.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 5714
    permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 1158
    permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 5502
    permit ip 10.12.7.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit ip 10.12.6.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit tcp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
    permit udp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
    deny ip any any

    Ryan


  • 13.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-03-2017 06:52
    THANKS A LOT to all!


  • 14.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-20-2017 06:34
    does somebopdy know why the switch shows:

    IPV4 Rules = 249

    or

    Chassis limits:Application Limit In use Entry size Total Memory
    -------------------------------- --------- --------- ------------ ------------
    access-lists 256 9 125K 31.3M
    access-list-entries 1000 180 160B 156.4K

    and we ended at 180 ACL-entries?


  • 15.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-23-2017 05:18
    is there any chance to configure more than 180 ACL-rules? how?


  • 16.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-23-2017 18:23
    With a clean slate configuration (just single l3 interface) and using router-profile 'router1' I was able to create an ACL that had 200 lines in it, however the total amount of ACL lines that can be applied at any given time is not to exceed 128

    Say you have an ACL that is 24 lines (add 1 due to implicit deny all at the end, so 25). You can apply that to five layer-3 interfaces (25 * 5 = 125). If you try applying to a sixth interface, it will jump to 150 applied ACL Lines.

    The 7100-Series is limited in it's resources and is more aimed towards top of rack solution for datacenter switching. A good replacement for DFE S-Series would be an SSA which has the resource for more ACL's and PBR setup.

    Ryan
    Extreme Networks


  • 17.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-23-2017 19:03
    will try if these can help - but the SSA is´nt an option (not enough 10G-Ports) - can the K-Series work as replacement? which limitations have these?



  • 18.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-23-2017 19:03
    What about an S1A with SK8008-1224-F8 ?


  • 19.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-23-2017 19:03
    we need round about 40 x 1000TX + 12 x 10G + 250 extended ACL...


  • 20.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-23-2017 19:22
    K-Series supports 1000 ACLs, ACL rules 5000, and ACL Rules per ACL 1000. It does have more capability of ACL's, but according to release notes it only supports 12 x 10GB ports.

    It may be best to contact your Sales rep. and explain the requirements so they can search for the best-fit product for the job.

    Ryan


  • 21.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-24-2017 06:18
    Hi,
    yes, we checked - the K-series says for "show limits":
    Application Limit In use --------- --------- ------------ ------------
    access-lists 1000 9
    access-list-entries 5000 212
    but why the 7100 says and we cannot reach these limits:
    Application Limit In use
    -------------------------------- --------- ---------
    access-lists 256 9
    access-list-entries 1000 180 [/code] we where very happy if we can reach 1000 access-list-entries!!!



  • 22.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-28-2017 07:36
    Hi,
    yes, we checked - the K-series says for "show limits":
    Application Limit In use --------- --------- ------------ ------------
    access-lists 1000 9
    access-list-entries 5000 212
    but why the 7100 says and we cannot reach these limits:
    Application Limit In use
    -------------------------------- --------- ---------
    access-lists 256 9
    access-list-entries 1000 180 we where very happy if we can reach 1000 access-list-entries!!! comes these in an new firmware-track?[/code]


  • 23.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 02-28-2017 16:35
    Hello,

    The output from "show limits" on 7100-series is not going to be accurate, but more of a place holder as our "theoretical maximum". The values change based on limited hardware resources, and depending on which resource profile is chosen, you are limited to the specifications that are listed in the output "show limits resource-profile -verbose" which will state your limitations. For example, router1 profile:

    TOR(su)->show limits resource-profile -verbose
    Resource Profile: configured (router1), operational (router1)

    Resource Profile: router1
    Authenticated Users = 512
    MAC Rules = 0
    IPV6 Rules = 0
    IPV4 Rules = 249
    L2 Rules = 175
    IPV6 Ingress ACL = 128
    IPV6 PBR = 0
    IPV4 Ingress ACL = 128
    IPV4 PBR = 128
    L2 Ingress ACL = 0
    IPV6 Egress ACL = 256
    IPV4 Egress ACL = 256
    L2 Egress ACL = 0

    Here would be the default setup if you have not changed the resource profile:

    TOR(su)->show limits resource-profile -verboseResource Profile: configured (default), operational (default) Resource Profile: default Authenticated Users = 512 MAC Rules = 128 IPV6 Rules = 127 IPV4 Rules = 249 L2 Rules = 175 IPV6 Ingress ACL = 0 IPV6 PBR = 0 IPV4 Ingress ACL = 0 IPV4 PBR = 0 L2 Ingress ACL = 0 IPV6 Egress ACL = 256 IPV4 Egress ACL = 256 L2 Egress ACL = 0[/code]Here is one of our Knowledge Articles briefly going over this:

    https://gtacknowledge.extremenetworks.com/articles/Solution/7100-Series-Advanced-Router-Mode-Limitat...

    The only things I can think to do is either use a different model switch that has added ACL support or contact us to submit a feature request.

    Ryan


  • 24.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 03-01-2017 10:51
    with Profile "router1" IPV4 Egress ACL means 249 ACLs? but why we cannot use more than 180?


  • 25.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 03-01-2017 12:14
    I created an ACL that has 200 Rules, however you can only have 128 rules applied at any given time, so would have to delete rule# 128-200 to get it to apply to an interface.

    I would suggest opening a case with GTAC so we can review configurations and try to assist getting a working configuration.

    Ryan


  • 26.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 03-01-2017 12:19
    and when you create 10 access-lists with round about 25 access-list-entries each?



  • 27.  RE: 7100-Series / ACL / Access Control List / Limitations

    Posted 03-01-2017 14:08
    I created 10 access-lists with 25 entries in each, however I won't be able to apply all of these to interfaces since it's exceeding the limit of 128 inbound rules applied.

    ip access-list extended number1 permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit
    ip access-list extended number10
    permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit
    ip access-list extended number2
    permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit
    ip access-list extended number3
    permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit
    ip access-list extended number4
    permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit
    ip access-list extended number5
    permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit
    ip access-list extended number6
    permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit
    ip access-list extended number7
    permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit
    ip access-list extended number8
    permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit
    ip access-list extended number9
    permit ip host 1.1.1.1 host 1.1.1.1
    permit ip host 1.1.1.1 host 1.1.1.2
    permit ip host 1.1.1.1 host 1.1.1.3
    permit ip host 1.1.1.1 host 1.1.1.4
    permit ip host 1.1.1.1 host 1.1.1.5
    permit ip host 1.1.1.1 host 1.1.1.6
    permit ip host 1.1.1.1 host 1.1.1.7
    permit ip host 1.1.1.1 host 1.1.1.8
    permit ip host 1.1.1.1 host 1.1.1.9
    permit ip host 1.1.1.1 host 1.1.1.10
    permit ip host 1.1.1.1 host 1.1.1.11
    permit ip host 1.1.1.1 host 1.1.1.12
    permit ip host 1.1.1.1 host 1.1.1.13
    permit ip host 1.1.1.1 host 1.1.1.14
    permit ip host 1.1.1.1 host 1.1.1.15
    permit ip host 1.1.1.1 host 1.1.1.16
    permit ip host 1.1.1.1 host 1.1.1.17
    permit ip host 1.1.1.1 host 1.1.1.18
    permit ip host 1.1.1.1 host 1.1.1.19
    permit ip host 1.1.1.1 host 1.1.1.20
    permit ip host 1.1.1.1 host 1.1.1.21
    permit ip host 1.1.1.1 host 1.1.1.22
    permit ip host 1.1.1.1 host 1.1.1.23
    permit ip host 1.1.1.1 host 1.1.1.24
    permit ip any any
    exit