7100-Series / ACL / Access Control List Limitations

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Not a Problem
We try to transfer an ACL from a DFE module (with Advanced Licence) to an 7100 (about 300 entries). We can only enter 180 lines, then we're done.

TOR(rw-cfg-ext-acl-160)->permit tcp host 192.168.60.254 any eq 2222
Apply access-group failed: Insufficient resources to apply access-group
TOR(rw-cfg-ext-acl-160)-><165>Feb 15 03:01:46 0.0.0.0 RtrAcl[1]
Rules Exhausted for IpV4 Egress Acls, interfaces applied 1 Need 2 rules but have only 1, cannot apply
--------------------------------------------------------------------------------------------------------
The "show limits" command displays:

Chassis limits:Application                         Limit    In use   Entry size  Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists                           256         9         125K        31.3M
  access-list-entries                 1000       180         160B       156.4K
  access-list-entries-per-list        1000         -            -            -
  applied-access-lists                1552         8         110B       165.5K
    applied-ipv4-in                    256         0            -            -
    applied-ipv4-out                   256         8            -            -
    applied-ipv6-in                    256         0            -            -
    applied-ipv6-out                   256         0            -            -
    applied-l2-in                      256         0            -            -
    applied-l2-out                     256         0            -            -
--------------------------------------------------------------------------------------------------------
The "show limits resource-profile -verbose" command displays:

Resource Profile: configured (default), operational (default)
Resource Profile: default
   Authenticated Users = 512
   MAC Rules           = 128
   IPV6 Rules          = 127
   IPV4 Rules          = 249
   L2 Rules            = 175
   IPV6 Ingress ACL    = 0
   IPV6 PBR            = 0
   IPV4 Ingress ACL    = 0
   IPV4 PBR            = 0
   L2 Ingress ACL      = 0
   IPV6 Egress ACL     = 256
   IPV4 Egress ACL     = 256
   L2 Egress ACL       = 0
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
How can we solve the problem (more accepted entries in the ACL)?
Photo of networks

networks

  • 446 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Jordi Soler

Jordi Soler

  • 626 Points 500 badge 2x thumb
Hi,

The limits for ACLs in the 7100 series platform is smaller than in the N-Series. I believe is a hardware limitation.

I am afraid this is FAD (Functions as Designed).

In another client, what I did is convert part of it (if not all) to policies using Policy Manager.

Hope it helps.
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
but why the switch shows:

 IPV4 Rules          = 249

or

Chassis limits:Application                         Limit    In use   Entry size  Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists                           256         9         125K        31.3M
  access-list-entries                 1000       180         160B       156.4K

and we ended at 180 ACL-entries?
Photo of networks

networks

  • 446 Points 250 badge 2x thumb
does somebopdy know why the switch shows:

 IPV4 Rules          = 249

or

Chassis limits:Application                         Limit    In use   Entry size  Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists                           256         9         125K        31.3M
  access-list-entries                 1000       180         160B       156.4K

and we ended at 180 ACL-entries?
Photo of Drew C.

Drew C., Community Manager

  • 40,238 Points 20k badge 2x thumb
I'm closing this thread for further comment because it appears to be a duplicate of this topic:
https://community.extremenetworks.com/extreme/topics/7100-series-acl-access-control-list-limitations 

This conversation is no longer open for comments or replies.