SecureStack Policy Profile & Rule limitations

FAQ_User — Thu, 21 Nov 2013 07:25:00 GMT

Article ID: 5821

Products
C3-Series, C2-Series
B3-Series, B2-Series
B2POL-LIC

Protocols/Features
Policy
CoS
IRL
Metering
UPN

Goals
SecureStack Policy Profile & Rule limitations
Mixed stacking

Symptoms
"config mismatch"
"% Invalid input detected at '^' marker."
"Error, General error!"

Cause
Policy/CoS is always available on the SecureStack C3 and C2. Policy/CoS may be enabled on the SecureStack B3 and B2 by configuring them with a Policy license (5781).

This document summarizes differences in Policy support among these SecureStack lines.

Solution
The policy limitations for the above-stated products and firmware are as follows:

For C3 and B3 (C3G, B3G) units, running f/w 1.00.35 through 1.00.98 (C3G) or f/w 1.00.29 through 1.00.92 (B3G), we impose
- a maximum of 15 profiles/roles per stack;
- a maximum of 768 unique rules and 768 unique masks per stack;
- a maximum of 100 rules and 100 masks per profile/role;
- no MAC or Ethertype rules[2];
- no metering[3].
For C3 and B3 (C3G, B3G) units, running f/w 1.01.01.0039 through 1.02.06.0004, we impose
- a maximum of 2 policy users per port (User+IP Phone);
- a maximum of 15 profiles/roles per stack;
- a maximum of 768 unique rules per stack;
- a maximum of 100 rules per profile/role;
- a maximum of 512 L3/L4 + 128 EtherType + 128 MAC-based unique rules, and 768 unique masks per stack;
- no metering[3].
For C3 and B3 (C3G, B3G) units, running f/w 6.03.00.0022 or higher, we impose
- a maximum of 6 (tunnel mode) or 3 (policy mode, hybrid mode) users per port;
- a maximum of 15 profiles/roles per stack;
- a maximum of 768 unique rules per stack;
- a maximum of 100 rules per profile/role;
- a maximum of 512 L3/L4 + 128 EtherType + 128 MAC-based unique rules, and unlimited masks per stack.
- no metering[3].
For C3/C2 and B3/B2 mixed stacks running C2 or B2 firmware, we impose the more restrictive of the limitations applicable to either the hardware or the firmware[1].
For C2 and B2 gigabit (C2G, B2G) units, running f/w 5.00.28 through 5.00.83 (C2) or f/w 4.00.22 through 4.00.83 (B2), we impose
- a maximum of 2 policy users per port (User+IP Phone);
- a maximum of 48 profiles/roles per stack;
- a maximum of 768 unique rules per stack[1];
- a maximum of 100 rules and 10 masks per profile/role[1];
- no MAC or Ethertype rules[2].
For C2 and B2 gigabit (C2G, B2G) units, running f/w 5.01.01.0039 through 5.01.06.0007 (C2) or f/w 4.01.01.0039 through 4.01.06.0007 (B2), we impose
- a maximum of 2 policy users per port (User+IP Phone);
- a maximum of 48 profiles/roles per stack;
- a maximum of 768 unique rules per stack[1];
- a maximum of 100 rules and 10 masks per profile/role[1].
For C2 and B2 gigabit (C2G, B2G) units, running f/w 5.02.01.0006 or higher (C2) or f/w 4.02.01.0006 or higher (B2), we impose
- a maximum of 2 policy users per port (User+IP Phone);
- a maximum of 255 profiles/roles per stack;
- a maximum of 100 unique rules and 10 unique masks per stack[1];
- a maximum of 100 rules per profile/role[1].
For C2 and B2 fast ethernet (C2H, B2H) units, running f/w 5.00.28 through 5.00.83 (C2) or f/w 4.00.22 through 4.00.83 (B2), we impose
- a maximum of 2 policy users per port (User+IP Phone);
- a maximum of 15 profiles/roles per stack;
- a maximum of 100 unique rules and 18 unique masks per stack[1];
- a maximum of 100 rules and 10 masks per profile/role[1];
- no MAC, Ethertype, or ICMP rules[2].
For C2 and B2 fast ethernet (C2H, B2H) units running f/w 5.01.01.0039 through 5.01.06.0007 (C2) or f/w 4.01.01.0039 through 4.01.06.0007 (B2), we impose
- a maximum of 2 policy users per port (User+IP Phone);
- a maximum of 15 profiles/roles per stack;
- a maximum of 100 unique rules and 18 unique masks per stack[1];
- a maximum of 100 rules and 10 masks per profile/role[1].
For C2 and B2 fast ethernet (C2H, B2H) units, running f/w 5.02.01.0006 or higher (C2) or f/w 4.02.01.0006 or higher (B2), we impose
- a maximum of 2 policy users per port (User+IP Phone);
- a maximum of 255 profiles/roles per stack;
- a maximum of 100 unique rules and 18 unique masks per stack[1];
- a maximum of 100 rules per profile/role[1].
[1]Except for what is stated below as metering guidelines[3], the limitations of an entire running (possibly mixed: 5834) stack can be no less than the constraints applicable to the lowest-capacity unit in the stack. If a unit is added to an already-running stack, the configurations are checked before applying Policy rules. If the added unit cannot handle the installed policies on the stack, a "config mismatch" will occur, and a message in syslog will indicate the reason.

[2]Attempting to code a disallowed rule type results in an error message: either "% Invalid input detected at '^' marker." (C3/B3 firmware) or "Error, General error!" (C2/B2 firmware).

[3] "Metering" here is synonymous with "rule-based Inbound Rate Limiting". On the C3/B3, Inbound Rate limiting will only be applied if associated with a profile/role, yielding a single limiter for all of a profile's traffic. IRLs associated with a profile's underlying rules will be ignored on C3/B3 ports, but will function as expected on C2/B2 ports even in a mixed stack. An IRL is in all cases applied via a referenced cos (Class of Service).

A "unique rule" is one which is distinctive after removing the role index reference.
A "unique mask" is one which presents a distinctive combination of rule type and mask length. To this list is added one additional unique mask to accommodate "Role Default Actions".

You may also refer to the product Datasheets: C3 / B3.

topic SecureStack Policy Profile & Rule limitations in FAQs

SecureStack Policy Profile & Rule limitations