topic RE: 7100-Series / ACL / Access Control List Limitations in ExtremeSwitching (EOS)

7100-Series / ACL / Access Control List Limitations

networks — Thu, 16 Feb 2017 15:42:00 GMT

We try to transfer an ACL from a DFE module (with Advanced Licence) to an 7100 (about 300 entries). We can only enter 180 lines, then we're done.

TOR(rw-cfg-ext-acl-160)->permit tcp host 192.168.60.254 any eq 2222
Apply access-group failed: Insufficient resources to apply access-group
TOR(rw-cfg-ext-acl-160)-><165>Feb 15 03:01:46 0.0.0.0 RtrAcl[1]
Rules Exhausted for IpV4 Egress Acls, interfaces applied 1 Need 2 rules but have only 1, cannot apply
--------------------------------------------------------------------------------------------------------
The "show limits" command displays:

Chassis limits:Application Limit In use Entry size Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists 256 9 125K 31.3M
access-list-entries 1000 180 160B 156.4K
access-list-entries-per-list 1000 - - -
applied-access-lists 1552 8 110B 165.5K
applied-ipv4-in 256 0 - -
applied-ipv4-out 256 8 - -
applied-ipv6-in 256 0 - -
applied-ipv6-out 256 0 - -
applied-l2-in 256 0 - -
applied-l2-out 256 0 - -
--------------------------------------------------------------------------------------------------------
The "show limits resource-profile -verbose" command displays:

Resource Profile: configured (default), operational (default)
Resource Profile: default
Authenticated Users = 512
MAC Rules = 128
IPV6 Rules = 127
IPV4 Rules = 249
L2 Rules = 175
IPV6 Ingress ACL = 0
IPV6 PBR = 0
IPV4 Ingress ACL = 0
IPV4 PBR = 0
L2 Ingress ACL = 0
IPV6 Egress ACL = 256
IPV4 Egress ACL = 256
L2 Egress ACL = 0
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
How can we solve the problem (more accepted entries in the ACL)?

RE: 7100-Series / ACL / Access Control List Limitations

jsoler — Thu, 16 Feb 2017 16:02:00 GMT

Hi,

The limits for ACLs in the 7100 series platform is smaller than in the N-Series. I believe is a hardware limitation.

I am afraid this is FAD (Functions as Designed).

In another client, what I did is convert part of it (if not all) to policies using Policy Manager.

Hope it helps.

RE: 7100-Series / ACL / Access Control List Limitations

networks — Thu, 16 Feb 2017 16:21:00 GMT

but why the switch shows:

IPV4 Rules = 249

or

Chassis limits:Application Limit In use Entry size Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists 256 9 125K 31.3M
access-list-entries 1000 180 160B 156.4K

and we ended at 180 ACL-entries?

RE: 7100-Series / ACL / Access Control List Limitations

networks — Mon, 20 Feb 2017 14:33:00 GMT

does somebopdy know why the switch shows:

IPV4 Rules = 249

or

Chassis limits:Application Limit In use Entry size Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists 256 9 125K 31.3M
access-list-entries 1000 180 160B 156.4K

and we ended at 180 ACL-entries?

RE: 7100-Series / ACL / Access Control List Limitations

Drew_C — Wed, 22 Feb 2017 05:33:00 GMT

I'm closing this thread for further comment because it appears to be a duplicate of this topic:
https://community.extremenetworks.com/extreme/topics/7100-series-acl-access-control-list-limitations