This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

7100-Series / ACL / Access Control List Limitations

7100-Series / ACL / Access Control List Limitations

networks
New Contributor

‎02-16-2017 07:42 AM

We try to transfer an ACL from a DFE module (with Advanced Licence) to an 7100 (about 300 entries). We can only enter 180 lines, then we're done.

TOR(rw-cfg-ext-acl-160)->permit tcp host 192.168.60.254 any eq 2222
Apply access-group failed: Insufficient resources to apply access-group
TOR(rw-cfg-ext-acl-160)-><165>Feb 15 03:01:46 0.0.0.0 RtrAcl[1]
Rules Exhausted for IpV4 Egress Acls, interfaces applied 1 Need 2 rules but have only 1, cannot apply
--------------------------------------------------------------------------------------------------------
The "show limits" command displays:

Chassis limits:Application Limit In use Entry size Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists 256 9 125K 31.3M
access-list-entries 1000 180 160B 156.4K
access-list-entries-per-list 1000 - - -
applied-access-lists 1552 8 110B 165.5K
applied-ipv4-in 256 0 - -
applied-ipv4-out 256 8 - -
applied-ipv6-in 256 0 - -
applied-ipv6-out 256 0 - -
applied-l2-in 256 0 - -
applied-l2-out 256 0 - -
--------------------------------------------------------------------------------------------------------
The "show limits resource-profile -verbose" command displays:

Resource Profile: configured (default), operational (default)
Resource Profile: default
Authenticated Users = 512
MAC Rules = 128
IPV6 Rules = 127
IPV4 Rules = 249
L2 Rules = 175
IPV6 Ingress ACL = 0
IPV6 PBR = 0
IPV4 Ingress ACL = 0
IPV4 PBR = 0
L2 Ingress ACL = 0
IPV6 Egress ACL = 256
IPV4 Egress ACL = 256
L2 Egress ACL = 0
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
How can we solve the problem (more accepted entries in the ACL)?
0 Kudos
4 REPLIES 4

Drew_C
Valued Contributor III

‎02-21-2017 09:33 PM

I'm closing this thread for further comment because it appears to be a duplicate of this topic:
https://community.extremenetworks.com/extreme/topics/7100-series-acl-access-control-list-limitations
0 Kudos

networks
New Contributor

‎02-20-2017 06:33 AM

does somebopdy know why the switch shows:

IPV4 Rules = 249

or

Chassis limits:Application Limit In use Entry size Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists 256 9 125K 31.3M
access-list-entries 1000 180 160B 156.4K

and we ended at 180 ACL-entries?
0 Kudos

networks
New Contributor

‎02-16-2017 08:21 AM

but why the switch shows:

IPV4 Rules = 249

or

Chassis limits:Application Limit In use Entry size Total Memory
-------------------------------- --------- --------- ------------ ------------
access-lists 256 9 125K 31.3M
access-list-entries 1000 180 160B 156.4K

and we ended at 180 ACL-entries?
0 Kudos

jsoler
New Contributor II

‎02-16-2017 08:02 AM

Hi,

The limits for ACLs in the 7100 series platform is smaller than in the N-Series. I believe is a hardware limitation.

I am afraid this is FAD (Functions as Designed).

In another client, what I did is convert part of it (if not all) to policies using Policy Manager.

Hope it helps.
0 Kudos
GTM-P2G8KFN