7100-Series / ACL / Access Control List / Limitations

  • 1
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
We want to transfer a large ACL from a DFE module (with Advanced Licence) to an 7100 (about 300 entries). We can only enter 171 lines, then we're done.

The "show limits" command displays:

Chassis limits:
Application                         Limit    In use   Entry size  Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists                           256         9         125K        31.3M
  access-list-entries                 1000       171         160B       156.4K
  access-list-entries-per-list        1000         -            -            -
  applied-access-lists                1552         0         110B       165.5K
    applied-ipv4-in                    256         0            -            -
    applied-ipv4-out                   256         0            -            -
    applied-ipv6-in                    256         0            -            -
    applied-ipv6-out                   256         0            -            -
    applied-l2-in                      256         0            -            -
    applied-l2-out                     256         0            -            -

The "show limits resource-profile -verbose" command displays:

Resource Profile: router1
   Authenticated Users = 512
   MAC Rules           = 0
   IPV6 Rules          = 0
   IPV4 Rules          = 249
   L2 Rules            = 175
   IPV6 Ingress ACL    = 128
   IPV6 PBR            = 0
   IPV4 Ingress ACL    = 128
   IPV4 PBR            = 128
   L2 Ingress ACL      = 0
   IPV6 Egress ACL     = 256
   IPV4 Egress ACL     = 256
   L2 Egress ACL       = 0

How can we solve the problem (more accepted entries in the ACL)?
Photo of networks

networks

  • 446 Points 250 badge 2x thumb

Posted 2 years ago

  • 1
  • 1
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,702 Points 2k badge 2x thumb
I would suggest consolidating the rule base as much as possible.   There are limited resources allowed for acl's even with the router1 profile selected.  The 7100 was intended as a top of rack switch.
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?

Helps to use an profile other than router1?
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,702 Points 2k badge 2x thumb
there is only the default and router1 profiles.
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?
Photo of French, Luke

French, Luke, Employee

  • 742 Points 500 badge 2x thumb

Sorry for the issue, you might  be encountering a limmitation  other than the number of acl.  I have one below as an example and  am not saying it is your issue but it is an example.
https://gtacknowledge.extremenetworks.com/articles/Solution/7100-Series-Error-Apply-access-group-fai...

Do you get an error message or see an error inthe show logging buffer about the ACL?

Photo of networks

networks

  • 446 Points 250 badge 2x thumb
these is the error message:

TOR(rw-config-intf-vlan.0.1001)->ip access-group 101 out

Apply access-group failed: Insufficient resources to apply access-group
Photo of French, Luke

French, Luke, Employee

  • 742 Points 500 badge 2x thumb
That error is in the article I posted and caused by using an ACL with UDP port ranges.
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
Is there any chance to consolidating these rules:

ip access-list extended 101  permit ip host 192.168.1.248 any
  permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit ip 192.168.1.240 0.0.0.7 host 192.168.200.201
  permit ip 192.168.60.0 0.0.3.255 192.168.60.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.2.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.2.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.3.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.3.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.4.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.4.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.5.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.5.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.10.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.10.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.10.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.11.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.11.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 192.168.11.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.11.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.12.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.12.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.13.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.13.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.50.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.50.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.50.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 10051
  permit tcp 192.168.200.0 0.0.0.255 eq 10050 192.168.50.0 0.0.0.255
  permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.202 eq 1521
  permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.208 eq 1521
  permit tcp 192.168.88.0 0.0.0.255 host 192.168.50.208 eq 1521
  permit ip 192.168.86.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 9100
  permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 80
  permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 443
  permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255 192.168.11.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255 192.168.13.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.5.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 164.26.201.248 0.0.0.7 192.168.2.0 0.0.0.255
  permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 22
  permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.10.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.11.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.11.0 0.0.0.255 192.168.200.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.12.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.12.0 0.0.0.255 192.168.200.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.3.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.11.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.13.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.13.0 0.0.0.255 192.168.200.0 0.0.0.255
  permit ip 192.168.66.0 0.0.0.255 192.168.65.0 0.0.0.255
  permit tcp 192.168.84.0 0.0.0.255 host 192.168.50.20 eq 3389
  permit tcp 192.168.85.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
  permit tcp 192.168.85.0 0.0.0.255 192.168.92.0 0.0.0.255 eq 3389
  permit tcp 192.168.85.0 0.0.0.255 192.168.93.0 0.0.0.255 eq 3389
  permit tcp 192.168.85.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit tcp 192.168.88.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
  permit tcp 192.168.88.0 0.0.0.255 192.168.92.0 0.0.0.255 eq 3389
  permit tcp 192.168.88.0 0.0.0.255 192.168.93.0 0.0.0.255 eq 3389
  permit tcp 192.168.88.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.90.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.90.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit tcp 192.168.91.0 0.0.0.255 eq 3389 any
  permit tcp 192.168.92.0 0.0.0.255 eq 3389 any
  permit tcp 192.168.97.0 0.0.0.255 eq 3389 any
  permit tcp any eq 80 host 192.168.2.11
  permit tcp any eq 443 host 192.168.2.11
  permit tcp any eq 80 host 192.168.2.19
  permit tcp any eq 3101 host 192.168.50.201
  permit tcp any eq 443 host 192.168.50.201
  permit tcp any eq 3101 host 192.168.50.229
  permit tcp any eq 443 host 192.168.50.229
  permit tcp any eq 443 host 192.168.50.238
  permit tcp any eq 2222 host 192.168.60.254
  permit ip host 192.168.200.201 192.168.1.240 0.0.0.7
  permit ip host 192.168.200.201 host 192.168.1.249
  permit ip host 192.168.200.201 host 192.168.1.252
  permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 22
  permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 80
  permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 3389
  permit tcp host 192.168.200.201 192.168.97.0 0.0.0.255 eq 3389
  permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
  permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
  permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
  permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
  permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
  permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
  permit ip host 192.168.14.13 host 192.168.50.215
  permit ip 10.22.96.0 0.0.0.255 192.168.2.0 0.0.0.255
  permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 5714
  permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 1158
  permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 5502
  permit ip 10.12.7.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit ip 10.12.6.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
  permit udp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
  deny ip any any
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi Andre,

you can combine some of the lines by using a different wildcard mask. An example would be:

The two lines
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
can be combined into
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.1.255
Br,
Erik
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Great to see you back on the Hub Erik!  
Photo of Careno, Ryan

Careno, Ryan, Employee

  • 1,092 Points 1k badge 2x thumb
You may want to double check and/or test this, but here's a shortened ACL (116 lines):

  permit ip host 192.168.1.248 any  permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.1.255
  permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.1.255
  permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.1.255
  permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.1.255
  permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit ip 192.168.1.240 0.0.0.7 host 192.168.200.201
  permit ip 192.168.60.0 0.0.3.255 192.168.60.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.2.0 0.0.1.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.2.0 0.0.1.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.4.0 0.0.1.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.4.0 0.0.1.255
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.10.0 0.0.1.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.10.0 0.0.1.255
  permit tcp 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.10.0 0.0.1.255
  permit tcp 192.168.200.0 0.0.0.255 192.168.11.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.12.0 0.0.1.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.12.0 0.0.1.255
  permit tcp 192.168.200.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.50.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.50.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.50.0 0.0.0.255
  permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 25
  permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 10051
  permit tcp 192.168.200.0 0.0.0.255 eq 10050 192.168.50.0 0.0.0.255
  permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.202 eq 1521
  permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.208 eq 1521
  permit tcp 192.168.88.0 0.0.0.255 host 192.168.50.208 eq 1521
  permit ip 192.168.86.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 9100
  permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 80
  permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 443
  permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255 192.168.11.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255 192.168.13.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.5.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 164.26.201.248 0.0.0.7 192.168.2.0 0.0.0.255
  permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 22
  permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.1.255
  permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.1.255
  permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
  permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.10.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.1.255
  permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.1.255
  permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
  permit ip 192.168.11.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.11.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.11.0 0.0.0.255 192.168.200.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
  permit ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.12.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.12.0 0.0.0.255 192.168.200.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.1.255
  permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.1.255
  permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.1.255
  permit ip 192.168.13.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.13.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.13.0 0.0.0.255 192.168.200.0 0.0.0.255
  permit ip 192.168.66.0 0.0.0.255 192.168.65.0 0.0.0.255
  permit tcp 192.168.84.0 0.0.0.255 host 192.168.50.20 eq 3389
  permit tcp 192.168.85.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
  permit tcp 192.168.85.0 0.0.0.255 192.168.92.0 0.0.1.255 eq 3389
  permit tcp 192.168.85.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit tcp 192.168.88.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
  permit tcp 192.168.88.0 0.0.0.255 192.168.92.0 0.0.1.255 eq 3389
  permit tcp 192.168.88.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit ip 192.168.90.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.90.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
  permit tcp 192.168.91.0 0.0.0.255 eq 3389 any
  permit tcp 192.168.92.0 0.0.0.255 eq 3389 any
  permit tcp 192.168.97.0 0.0.0.255 eq 3389 any
  permit tcp any eq 80 host 192.168.2.11
  permit tcp any eq 443 host 192.168.2.11
  permit tcp any eq 80 host 192.168.2.19
  permit tcp any eq 3101 host 192.168.50.201
  permit tcp any eq 443 host 192.168.50.201
  permit tcp any eq 3101 host 192.168.50.229
  permit tcp any eq 443 host 192.168.50.229
  permit tcp any eq 443 host 192.168.50.238
  permit tcp any eq 2222 host 192.168.60.254
  permit ip host 192.168.200.201 192.168.1.240 0.0.0.7
  permit ip host 192.168.200.201 host 192.168.1.249
  permit ip host 192.168.200.201 host 192.168.1.252
  permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 22
  permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 80
  permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 3389
  permit tcp host 192.168.200.201 192.168.97.0 0.0.0.255 eq 3389
  permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
  permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
  permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
  permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
  permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
  permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
  permit ip host 192.168.14.13 host 192.168.50.215
  permit ip 10.22.96.0 0.0.0.255 192.168.2.0 0.0.0.255
  permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 5714
  permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 1158
  permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 5502
  permit ip 10.12.7.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit ip 10.12.6.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit tcp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
  permit udp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
  deny ip any any


Ryan
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
THANKS A LOT to all!
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
does somebopdy know why the switch shows:

 IPV4 Rules          = 249

or

Chassis limits:Application                         Limit    In use   Entry size  Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists                           256         9         125K        31.3M
  access-list-entries                 1000       180         160B       156.4K

and we ended at 180 ACL-entries?
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
is there any chance to configure more than 180 ACL-rules? how?
Photo of Careno, Ryan

Careno, Ryan, Employee

  • 1,092 Points 1k badge 2x thumb
With a clean slate configuration (just single l3 interface) and using router-profile 'router1' I was able to create an ACL that had 200 lines in it, however the total amount of ACL lines that can be applied at any given time is not to exceed 128

Say you have an ACL that is 24 lines (add 1 due to implicit deny all at the end, so 25).  You can apply that to five layer-3 interfaces (25 * 5 = 125).  If you try applying to a sixth interface, it will jump to 150 applied ACL Lines.  

The 7100-Series is limited in it's resources and is more aimed towards top of rack solution for datacenter switching.  A good replacement for DFE S-Series would be an SSA which has the resource for more ACL's and PBR setup. 

Ryan 
Extreme Networks
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
will try if these can help - but the SSA is ́nt an option (not enough 10G-Ports) - can the K-Series work as replacement? which limitations have these?
Photo of James A

James A, Embassador

  • 6,806 Points 5k badge 2x thumb
What about an S1A with SK8008-1224-F8 ?
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
we need round about 40 x 1000TX + 12 x 10G + 250 extended ACL...
Photo of Careno, Ryan

Careno, Ryan, Employee

  • 1,092 Points 1k badge 2x thumb
K-Series supports 1000 ACLs, ACL rules 5000, and ACL Rules per ACL 1000. It does have more capability of ACL's, but according to release notes it only supports 12 x 10GB ports. 

It may be best to contact your Sales rep. and explain the requirements so they can search for the best-fit product for the job.

Ryan
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
Hi,

yes, we checked - the K-series says for "show limits":
Application                         Limit    In use   --------- --------- ------------ ------------
access-lists                          1000         9
  access-list-entries                 5000       212
but why the 7100 says and we cannot reach these limits:
Application                         Limit    In use  
-------------------------------- --------- ---------
access-lists                           256         9
  access-list-entries                 1000       180
we where very happy if we can reach 1000 access-list-entries!!!
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
Hi,

yes, we checked - the K-series says for "show limits":
Application                         Limit    In use   --------- --------- ------------ ------------
access-lists                          1000         9
  access-list-entries                 5000       212
but why the 7100 says and we cannot reach these limits:
Application                         Limit    In use  
-------------------------------- --------- ---------
access-lists                           256         9
  access-list-entries                 1000       180 we where very happy if we can reach 1000 access-list-entries!!! comes these in an new firmware-track?
Photo of Careno, Ryan

Careno, Ryan, Employee

  • 1,092 Points 1k badge 2x thumb
Hello,

The output from "show limits" on 7100-series is not going to be accurate, but more of a place holder as our "theoretical maximum".  The values change based on limited hardware resources, and depending on which resource profile is chosen, you are limited to the specifications that are listed in the output "show limits resource-profile -verbose" which will state your limitations.  For example, router1 profile:


TOR(su)->show limits resource-profile -verbose
Resource Profile: configured (router1), operational (router1)

Resource Profile: router1
   Authenticated Users = 512
   MAC Rules           = 0
   IPV6 Rules          = 0
   IPV4 Rules          = 249
   L2 Rules            = 175
   IPV6 Ingress ACL    = 128
   IPV6 PBR            = 0
   IPV4 Ingress ACL    = 128
   IPV4 PBR            = 128
   L2 Ingress ACL      = 0
   IPV6 Egress ACL     = 256
   IPV4 Egress ACL     = 256
   L2 Egress ACL       = 0

Here would be the default setup if you have not changed the resource profile:


TOR(su)->show limits resource-profile -verbose
Resource Profile: configured (default), operational (default)

Resource Profile: default
   Authenticated Users = 512
   MAC Rules           = 128
   IPV6 Rules          = 127
   IPV4 Rules          = 249
   L2 Rules            = 175
   IPV6 Ingress ACL    = 0
   IPV6 PBR            = 0
   IPV4 Ingress ACL    = 0
   IPV4 PBR            = 0
   L2 Ingress ACL      = 0
   IPV6 Egress ACL     = 256
   IPV4 Egress ACL     = 256
   L2 Egress ACL       = 0
Here is one of our Knowledge Articles briefly going over this:

https://gtacknowledge.extremenetworks.com/articles/Solution/7100-Series-Advanced-Router-Mode-Limitat...

The only things I can think to do is either use a different model switch that has added ACL support or contact us to submit a feature request. 

Ryan
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
with Profile "router1" IPV4 Egress ACL means 249 ACLs? but why we cannot use more than 180?
Photo of Careno, Ryan

Careno, Ryan, Employee

  • 1,092 Points 1k badge 2x thumb
I created an ACL that has 200 Rules, however you can only have 128 rules applied at any given time, so would have to delete rule# 128-200 to get it to apply to an interface.

I would suggest opening a case with GTAC so we can review configurations and try to assist getting a working configuration.

Ryan 
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
and when you create 10 access-lists with round about 25 access-list-entries each?
Photo of Careno, Ryan

Careno, Ryan, Employee

  • 1,092 Points 1k badge 2x thumb
I created 10 access-lists with 25 entries in each, however I won't be able to apply all of these to interfaces since it's exceeding the limit of 128 inbound rules applied. 



ip access-list extended number1  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit
 ip access-list extended number10
  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit
 ip access-list extended number2
  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit
 ip access-list extended number3
  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit
 ip access-list extended number4
  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit
 ip access-list extended number5
  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit
 ip access-list extended number6
  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit
 ip access-list extended number7
  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit
 ip access-list extended number8
  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit
 ip access-list extended number9
  permit ip host 1.1.1.1 host 1.1.1.1
  permit ip host 1.1.1.1 host 1.1.1.2
  permit ip host 1.1.1.1 host 1.1.1.3
  permit ip host 1.1.1.1 host 1.1.1.4
  permit ip host 1.1.1.1 host 1.1.1.5
  permit ip host 1.1.1.1 host 1.1.1.6
  permit ip host 1.1.1.1 host 1.1.1.7
  permit ip host 1.1.1.1 host 1.1.1.8
  permit ip host 1.1.1.1 host 1.1.1.9
  permit ip host 1.1.1.1 host 1.1.1.10
  permit ip host 1.1.1.1 host 1.1.1.11
  permit ip host 1.1.1.1 host 1.1.1.12
  permit ip host 1.1.1.1 host 1.1.1.13
  permit ip host 1.1.1.1 host 1.1.1.14
  permit ip host 1.1.1.1 host 1.1.1.15
  permit ip host 1.1.1.1 host 1.1.1.16
  permit ip host 1.1.1.1 host 1.1.1.17
  permit ip host 1.1.1.1 host 1.1.1.18
  permit ip host 1.1.1.1 host 1.1.1.19
  permit ip host 1.1.1.1 host 1.1.1.20
  permit ip host 1.1.1.1 host 1.1.1.21
  permit ip host 1.1.1.1 host 1.1.1.22
  permit ip host 1.1.1.1 host 1.1.1.23
  permit ip host 1.1.1.1 host 1.1.1.24
  permit ip any any
  exit