Header Only - DO NOT REMOVE - Extreme Networks

7100-Series / ACL / Access Control List / Limitations


We want to transfer a large ACL from a DFE module (with Advanced Licence) to an 7100 (about 300 entries). We can only enter 171 lines, then we're done.

The "show limits" command displays:

Chassis limits:
Application Limit In use Entry size Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists 256 9 125K 31.3M
access-list-entries 1000 171 160B 156.4K
access-list-entries-per-list 1000 - - -
applied-access-lists 1552 0 110B 165.5K
applied-ipv4-in 256 0 - -
applied-ipv4-out 256 0 - -
applied-ipv6-in 256 0 - -
applied-ipv6-out 256 0 - -
applied-l2-in 256 0 - -
applied-l2-out 256 0 - -

The "show limits resource-profile -verbose" command displays:

Resource Profile: router1
Authenticated Users = 512
MAC Rules = 0
IPV6 Rules = 0
IPV4 Rules = 249
L2 Rules = 175
IPV6 Ingress ACL = 128
IPV6 PBR = 0
IPV4 Ingress ACL = 128
IPV4 PBR = 128
L2 Ingress ACL = 0
IPV6 Egress ACL = 256
IPV4 Egress ACL = 256
L2 Egress ACL = 0

How can we solve the problem (more accepted entries in the ACL)?

26 replies

Userlevel 4
I would suggest consolidating the rule base as much as possible. There are limited resources allowed for acl's even with the router1 profile selected. The 7100 was intended as a top of rack switch.
But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?

Helps to use an profile other than router1?
Userlevel 4
there is only the default and router1 profiles.
But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?
networks wrote:

But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?

Sorry for the issue, you might be encountering a limmitation other than the number of acl. I have one below as an example and am not saying it is your issue but it is an example.
https://gtacknowledge.extremenetworks.com/articles/Solution/7100-Series-Error-Apply-access-group-fai...

Do you get an error message or see an error inthe show logging buffer about the ACL?
networks wrote:

But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?

these is the error message:

TOR(rw-config-intf-vlan.0.1001)->ip access-group 101 out

Apply access-group failed: Insufficient resources to apply access-group
networks wrote:

But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?

cltheainrangesUDP portcausedandpostedIticlearntheisierrorThaterrorThe
networks wrote:

But why the "show" commands displays 249/1000 possible IPV4 rules and the configuration accepts only 171 rules?

That error is in the article I posted and caused by using an ACL with UDP port ranges.
Is there any chance to consolidating these rules:

ip access-list extended 101 permit ip host 192.168.1.248 any
permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.240 0.0.0.7 host 192.168.200.201
permit ip 192.168.60.0 0.0.3.255 192.168.60.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.2.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.2.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.3.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.3.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.4.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.4.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.5.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.5.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.10.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.10.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.10.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.11.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.11.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 192.168.11.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.11.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.12.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.12.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.13.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.13.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.50.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.50.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.50.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 10051
permit tcp 192.168.200.0 0.0.0.255 eq 10050 192.168.50.0 0.0.0.255
permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.202 eq 1521
permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.208 eq 1521
permit tcp 192.168.88.0 0.0.0.255 host 192.168.50.208 eq 1521
permit ip 192.168.86.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 9100
permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 80
permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 443
permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.5.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 164.26.201.248 0.0.0.7 192.168.2.0 0.0.0.255
permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 22
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.10.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.11.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.11.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.12.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.12.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.13.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.13.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.66.0 0.0.0.255 192.168.65.0 0.0.0.255
permit tcp 192.168.84.0 0.0.0.255 host 192.168.50.20 eq 3389
permit tcp 192.168.85.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
permit tcp 192.168.85.0 0.0.0.255 192.168.92.0 0.0.0.255 eq 3389
permit tcp 192.168.85.0 0.0.0.255 192.168.93.0 0.0.0.255 eq 3389
permit tcp 192.168.85.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit tcp 192.168.88.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
permit tcp 192.168.88.0 0.0.0.255 192.168.92.0 0.0.0.255 eq 3389
permit tcp 192.168.88.0 0.0.0.255 192.168.93.0 0.0.0.255 eq 3389
permit tcp 192.168.88.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.90.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.90.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit tcp 192.168.91.0 0.0.0.255 eq 3389 any
permit tcp 192.168.92.0 0.0.0.255 eq 3389 any
permit tcp 192.168.97.0 0.0.0.255 eq 3389 any
permit tcp any eq 80 host 192.168.2.11
permit tcp any eq 443 host 192.168.2.11
permit tcp any eq 80 host 192.168.2.19
permit tcp any eq 3101 host 192.168.50.201
permit tcp any eq 443 host 192.168.50.201
permit tcp any eq 3101 host 192.168.50.229
permit tcp any eq 443 host 192.168.50.229
permit tcp any eq 443 host 192.168.50.238
permit tcp any eq 2222 host 192.168.60.254
permit ip host 192.168.200.201 192.168.1.240 0.0.0.7
permit ip host 192.168.200.201 host 192.168.1.249
permit ip host 192.168.200.201 host 192.168.1.252
permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 22
permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 80
permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 3389
permit tcp host 192.168.200.201 192.168.97.0 0.0.0.255 eq 3389
permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
permit ip host 192.168.14.13 host 192.168.50.215
permit ip 10.22.96.0 0.0.0.255 192.168.2.0 0.0.0.255
permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 5714
permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 1158
permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 5502
permit ip 10.12.7.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 10.12.6.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
permit udp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
deny ip any any
Userlevel 7
Hi Andre,

you can combine some of the lines by using a different wildcard mask. An example would be:

The two lines
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 [/code]can be combined into
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.1.255 [/code]Br,
Erik
Userlevel 6
Erik Auerswald wrote:

Hi Andre,

you can combine some of the lines by using a different wildcard mask. An example would be:

The two lines
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 [/code]can be combined into
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.1.255 [/code]Br,
Erik

Great to see you back on the Hub Erik!
Userlevel 3
You may want to double check and/or test this, but here's a shortened ACL (116 lines):

permit ip host 192.168.1.248 any permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.1.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.1.255
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.1.255
permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.1.255
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.240 0.0.0.7 host 192.168.200.201
permit ip 192.168.60.0 0.0.3.255 192.168.60.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.2.0 0.0.1.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.2.0 0.0.1.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.4.0 0.0.1.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.4.0 0.0.1.255
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.10.0 0.0.1.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.10.0 0.0.1.255
permit tcp 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.10.0 0.0.1.255
permit tcp 192.168.200.0 0.0.0.255 192.168.11.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.12.0 0.0.1.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.12.0 0.0.1.255
permit tcp 192.168.200.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 eq 80 192.168.50.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 443 192.168.50.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 eq 25 192.168.50.0 0.0.0.255
permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 25
permit tcp 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 10051
permit tcp 192.168.200.0 0.0.0.255 eq 10050 192.168.50.0 0.0.0.255
permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.202 eq 1521
permit tcp 192.168.16.0 0.0.0.255 host 192.168.50.208 eq 1521
permit tcp 192.168.88.0 0.0.0.255 host 192.168.50.208 eq 1521
permit ip 192.168.86.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 9100
permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 80
permit tcp 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 443
permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.5.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 164.26.201.248 0.0.0.7 192.168.2.0 0.0.0.255
permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 22
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.1.255
permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.1.255
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.10.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.1.255
permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.1.255
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.11.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.11.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.12.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.12.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.1.255
permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.1.255
permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.1.255
permit ip 192.168.13.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.13.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.13.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.66.0 0.0.0.255 192.168.65.0 0.0.0.255
permit tcp 192.168.84.0 0.0.0.255 host 192.168.50.20 eq 3389
permit tcp 192.168.85.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
permit tcp 192.168.85.0 0.0.0.255 192.168.92.0 0.0.1.255 eq 3389
permit tcp 192.168.85.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit tcp 192.168.88.0 0.0.0.255 192.168.91.0 0.0.0.255 eq 3389
permit tcp 192.168.88.0 0.0.0.255 192.168.92.0 0.0.1.255 eq 3389
permit tcp 192.168.88.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit ip 192.168.90.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.90.0 0.0.0.255 192.168.97.0 0.0.0.255 eq 3389
permit tcp 192.168.91.0 0.0.0.255 eq 3389 any
permit tcp 192.168.92.0 0.0.0.255 eq 3389 any
permit tcp 192.168.97.0 0.0.0.255 eq 3389 any
permit tcp any eq 80 host 192.168.2.11
permit tcp any eq 443 host 192.168.2.11
permit tcp any eq 80 host 192.168.2.19
permit tcp any eq 3101 host 192.168.50.201
permit tcp any eq 443 host 192.168.50.201
permit tcp any eq 3101 host 192.168.50.229
permit tcp any eq 443 host 192.168.50.229
permit tcp any eq 443 host 192.168.50.238
permit tcp any eq 2222 host 192.168.60.254
permit ip host 192.168.200.201 192.168.1.240 0.0.0.7
permit ip host 192.168.200.201 host 192.168.1.249
permit ip host 192.168.200.201 host 192.168.1.252
permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 22
permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 80
permit tcp host 192.168.200.201 192.168.50.0 0.0.0.255 eq 3389
permit tcp host 192.168.200.201 192.168.97.0 0.0.0.255 eq 3389
permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 636
permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 7191
permit tcp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
permit udp host 192.168.200.207 192.168.50.0 0.0.0.255 eq 4500
permit ip host 192.168.14.13 host 192.168.50.215
permit ip 10.22.96.0 0.0.0.255 192.168.2.0 0.0.0.255
permit tcp 10.240.10.0 0.0.0.255 host 192.168.50.202 eq 5714
permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 1158
permit tcp 10.240.10.0 0.0.255.255 host 192.168.50.212 eq 5502
permit ip 10.12.7.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 10.12.6.0 0.0.0.255 192.168.50.0 0.0.0.255
permit tcp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
permit udp 192.168.1.0 0.0.0.255 eq 123 192.168.60.0 0.0.3.255
deny ip any any

Ryan
THANKS A LOT to all!
does somebopdy know why the switch shows:

IPV4 Rules = 249

or

Chassis limits:Application Limit In use Entry size Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists 256 9 125K 31.3M
access-list-entries 1000 180 160B 156.4K

and we ended at 180 ACL-entries?
is there any chance to configure more than 180 ACL-rules? how?
Userlevel 3
With a clean slate configuration (just single l3 interface) and using router-profile 'router1' I was able to create an ACL that had 200 lines in it, however the total amount of ACL lines that can be applied at any given time is not to exceed 128

Say you have an ACL that is 24 lines (add 1 due to implicit deny all at the end, so 25). You can apply that to five layer-3 interfaces (25 * 5 = 125). If you try applying to a sixth interface, it will jump to 150 applied ACL Lines.

The 7100-Series is limited in it's resources and is more aimed towards top of rack solution for datacenter switching. A good replacement for DFE S-Series would be an SSA which has the resource for more ACL's and PBR setup.

Ryan
Extreme Networks
will try if these can help - but the SSA is´nt an option (not enough 10G-Ports) - can the K-Series work as replacement? which limitations have these?
networks wrote:

will try if these can help - but the SSA is´nt an option (not enough 10G-Ports) - can the K-Series work as replacement? which limitations have these?

What about an S1A with SK8008-1224-F8 ?
networks wrote:

will try if these can help - but the SSA is´nt an option (not enough 10G-Ports) - can the K-Series work as replacement? which limitations have these?

we need round about 40 x 1000TX + 12 x 10G + 250 extended ACL...
Userlevel 3
K-Series supports 1000 ACLs, ACL rules 5000, and ACL Rules per ACL 1000. It does have more capability of ACL's, but according to release notes it only supports 12 x 10GB ports.

It may be best to contact your Sales rep. and explain the requirements so they can search for the best-fit product for the job.

Ryan
Hi,
yes, we checked - the K-series says for "show limits":
Application Limit In use --------- --------- ------------ ------------
access-lists 1000 9
access-list-entries 5000 212
but why the 7100 says and we cannot reach these limits:
Application Limit In use
-------------------------------- --------- ---------
access-lists 256 9
access-list-entries 1000 180 [/code] we where very happy if we can reach 1000 access-list-entries!!!
Hi,
yes, we checked - the K-series says for "show limits":
Application Limit In use --------- --------- ------------ ------------
access-lists 1000 9
access-list-entries 5000 212
but why the 7100 says and we cannot reach these limits:
Application Limit In use
-------------------------------- --------- ---------
access-lists 256 9
access-list-entries 1000 180 we where very happy if we can reach 1000 access-list-entries!!! comes these in an new firmware-track?[/code]
Userlevel 3
Hello,

The output from "show limits" on 7100-series is not going to be accurate, but more of a place holder as our "theoretical maximum". The values change based on limited hardware resources, and depending on which resource profile is chosen, you are limited to the specifications that are listed in the output "show limits resource-profile -verbose" which will state your limitations. For example, router1 profile:

TOR(su)->show limits resource-profile -verbose
Resource Profile: configured (router1), operational (router1)

Resource Profile: router1
Authenticated Users = 512
MAC Rules = 0
IPV6 Rules = 0
IPV4 Rules = 249
L2 Rules = 175
IPV6 Ingress ACL = 128
IPV6 PBR = 0
IPV4 Ingress ACL = 128
IPV4 PBR = 128
L2 Ingress ACL = 0
IPV6 Egress ACL = 256
IPV4 Egress ACL = 256
L2 Egress ACL = 0

Here would be the default setup if you have not changed the resource profile:

TOR(su)->show limits resource-profile -verboseResource Profile: configured (default), operational (default) Resource Profile: default Authenticated Users = 512 MAC Rules = 128 IPV6 Rules = 127 IPV4 Rules = 249 L2 Rules = 175 IPV6 Ingress ACL = 0 IPV6 PBR = 0 IPV4 Ingress ACL = 0 IPV4 PBR = 0 L2 Ingress ACL = 0 IPV6 Egress ACL = 256 IPV4 Egress ACL = 256 L2 Egress ACL = 0[/code]Here is one of our Knowledge Articles briefly going over this:

https://gtacknowledge.extremenetworks.com/articles/Solution/7100-Series-Advanced-Router-Mode-Limitat...

The only things I can think to do is either use a different model switch that has added ACL support or contact us to submit a feature request.

Ryan
with Profile "router1" IPV4 Egress ACL means 249 ACLs? but why we cannot use more than 180?
Userlevel 3
I created an ACL that has 200 Rules, however you can only have 128 rules applied at any given time, so would have to delete rule# 128-200 to get it to apply to an interface.

I would suggest opening a case with GTAC so we can review configurations and try to assist getting a working configuration.

Ryan

Reply