FAQs

SecureStack Policy Profile & Rule limitations

  • 1.  SecureStack Policy Profile & Rule limitations

    Posted 11-20-2013 23:25
    Article ID: 5821

    Products
    C3-Series, C2-Series
    B3-Series, B2-Series
    B2POL-LIC

    Protocols/Features
    Policy
    CoS
    IRL
    Metering
    UPN

    Goals
    SecureStack Policy Profile & Rule limitations
    Mixed stacking

    Symptoms
    "config mismatch"
    "% Invalid input detected at '^' marker."
    "Error, General error!"

    Cause
    Policy/CoS is always available on the SecureStack C3 and C2. Policy/CoS may be enabled on the SecureStack B3 and B2 by configuring them with a Policy license (5781).

    This document summarizes differences in Policy support among these SecureStack lines.

    Solution
    The policy limitations for the above-stated products and firmware are as follows:
    • For C3 and B3 (C3G, B3G) units, running f/w 1.00.35 through 1.00.98 (C3G) or f/w 1.00.29 through 1.00.92 (B3G), we impose[list]
    • a maximum of 15 profiles/roles per stack;
    • a maximum of 768 unique rules and 768 unique masks per stack;
    • a maximum of 100 rules and 100 masks per profile/role;
    • no MAC or Ethertype rules[2];
    • no metering[3].
  • For C3 and B3 (C3G, B3G) units, running f/w 1.01.01.0039 through 1.02.06.0004, we impose
    • a maximum of 2 policy users per port (User+IP Phone);
    • a maximum of 15 profiles/roles per stack;
    • a maximum of 768 unique rules per stack;
    • a maximum of 100 rules per profile/role;
    • a maximum of 512 L3/L4 + 128 EtherType + 128 MAC-based unique rules, and 768 unique masks per stack;
    • no metering[3].
  • For C3 and B3 (C3G, B3G) units, running f/w 6.03.00.0022 or higher, we impose
    • a maximum of 6 (tunnel mode) or 3 (policy mode, hybrid mode) users per port;
    • a maximum of 15 profiles/roles per stack;
    • a maximum of 768 unique rules per stack;
    • a maximum of 100 rules per profile/role;
    • a maximum of 512 L3/L4 + 128 EtherType + 128 MAC-based unique rules, and unlimited masks per stack.
    • no metering[3].
  • For C3/C2 and B3/B2 mixed stacks running C2 or B2 firmware, we impose the more restrictive of the limitations applicable to either the hardware or the firmware[1].
  • For C2 and B2 gigabit (C2G, B2G) units, running f/w 5.00.28 through 5.00.83 (C2) or f/w 4.00.22 through 4.00.83 (B2), we impose
    • a maximum of 2 policy users per port (User+IP Phone);
    • a maximum of 48 profiles/roles per stack;
    • a maximum of 768 unique rules per stack[1];
    • a maximum of 100 rules and 10 masks per profile/role[1];
    • no MAC or Ethertype rules[2].
  • For C2 and B2 gigabit (C2G, B2G) units, running f/w 5.01.01.0039 through 5.01.06.0007 (C2) or f/w 4.01.01.0039 through 4.01.06.0007 (B2), we impose
    • a maximum of 2 policy users per port (User+IP Phone);
    • a maximum of 48 profiles/roles per stack;
    • a maximum of 768 unique rules per stack[1];
    • a maximum of 100 rules and 10 masks per profile/role[1].
  • For C2 and B2 gigabit (C2G, B2G) units, running f/w 5.02.01.0006 or higher (C2) or f/w 4.02.01.0006 or higher (B2), we impose
    • a maximum of 2 policy users per port (User+IP Phone);
    • a maximum of 255 profiles/roles per stack;
    • a maximum of 100 unique rules and 10 unique masks per stack[1];
    • a maximum of 100 rules per profile/role[1].
  • For C2 and B2 fast ethernet (C2H, B2H) units, running f/w 5.00.28 through 5.00.83 (C2) or f/w 4.00.22 through 4.00.83 (B2), we impose
    • a maximum of 2 policy users per port (User+IP Phone);
    • a maximum of 15 profiles/roles per stack;
    • a maximum of 100 unique rules and 18 unique masks per stack[1];
    • a maximum of 100 rules and 10 masks per profile/role[1];
    • no MAC, Ethertype, or ICMP rules[2].
  • For C2 and B2 fast ethernet (C2H, B2H) units running f/w 5.01.01.0039 through 5.01.06.0007 (C2) or f/w 4.01.01.0039 through 4.01.06.0007 (B2), we impose
    • a maximum of 2 policy users per port (User+IP Phone);
    • a maximum of 15 profiles/roles per stack;
    • a maximum of 100 unique rules and 18 unique masks per stack[1];
    • a maximum of 100 rules and 10 masks per profile/role[1].
  • For C2 and B2 fast ethernet (C2H, B2H) units, running f/w 5.02.01.0006 or higher (C2) or f/w 4.02.01.0006 or higher (B2), we impose
    • a maximum of 2 policy users per port (User+IP Phone);
    • a maximum of 255 profiles/roles per stack;
    • a maximum of 100 unique rules and 18 unique masks per stack[1];
    • a maximum of 100 rules per profile/role[1].
    [1]Except for what is stated below as metering guidelines[3], the limitations of an entire running (possibly mixed: 5834) stack can be no less than the constraints applicable to the lowest-capacity unit in the stack. If a unit is added to an already-running stack, the configurations are checked before applying Policy rules. If the added unit cannot handle the installed policies on the stack, a "config mismatch" will occur, and a message in syslog will indicate the reason.

    [2]Attempting to code a disallowed rule type results in an error message: either "% Invalid input detected at '^' marker." (C3/B3 firmware) or "Error, General error!" (C2/B2 firmware).

    [3] "Metering" here is synonymous with "rule-based Inbound Rate Limiting". On the C3/B3, Inbound Rate limiting will only be applied if associated with a profile/role, yielding a single limiter for all of a profile's traffic. IRLs associated with a profile's underlying rules will be ignored on C3/B3 ports, but will function as expected on C2/B2 ports even in a mixed stack. An IRL is in all cases applied via a referenced cos (Class of Service).

    A "unique rule" is one which is distinctive after removing the role index reference.
    A "unique mask" is one which presents a distinctive combination of rule type and mask length. To this list is added one additional unique mask to accommodate "Role Default Actions".

    You may also refer to the product Datasheets: C3 / B3.[/list]