This section provides more details on filter scaling numbers for the supported platforms.
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 1 security ACE each OR
256 ACLs with 1 QoS ACE each OR
a combination based on the following rule:
( (num ACLs + num security ACEs) <= 1024) && ((num ACLs + num QoS ACEs) <= 512)
This maximum implies a VLAN member count of 1 for inVlan ACLs
512 IPv6 ingress ACLs (inPort):
512 ACLs with 1 security ACE each OR
a combination based on the following rule:
(num ACLs + num security ACEs) <= 512
124 egress ACLs (outPort only):
124 ACLs with 1 security ACE each (one of these ACLs can have 2 ACEs) OR
a combination based on the following rule:
(num ACLs + num ACEs) <= 248
This maximum implies a port member count of 1 for outPort ACLs.
1534 ingress ACEs:
Theoretical maximum of 1534 implies 1 ingress ACL with 1023 security ACEs and 511 QoS ACEs
Ingress ACEs supported: (1024 (security) - # of ACLs) + (512 (QoS) - # of ACLs).
This maximum also implies a VLAN member count of 1 for an inVlan ACL.
247 egress ACEs:
Theoretical maximum of 247 implies 1 egress ACL with 247 security ACEs
Egress ACEs supported: 248 - # of ACLs.
This maximum also implies a port member count of 1 for the outPort ACL.
The switch supports the following maximum limits for ACL scaling:
512 non-IPv6 ingress ACLs (inVSN, inPort, or inVlan):
256 ACLs with 1 Primary ACE each + 256 ACLs with 1 Secondary ACE each OR
383 ACLs with 1 Primary ACE each and/or 1 Secondary ACE each OR
a combination based on the following rule:
num ACLs <= 512 && (num ACLs + num Primary ACEs) <= 767 && (num ACLs + num Secondary ACEs) <= (767 – X) where X = num IPv6 ACLs + num IPv6 ACEs
For Primary bank, maximum implies a single port on inPort ACLs, a single I-SID for in VSN, and a single VLAN on inVlan ACLs.
For Secondary bank, inPort ACLs number of consumed rules is not multiplied by the number of ports attached to the ACL.
383 IPv6 ingress ACLs (inPort):
383 IPv6 ACLs with 1 ACE each OR
A combination based on the following rule:
num IPv6 ACLs <= 383 && (num IPv6 ACLs + num ACEs) <= (767 – X) where X = num non-IPv6 ACLs + num non-IPv6 Secondary ACEs
This maximum implies a single port on inPort ACLs.
254 non-IPv6 egress ACLs (outPort):
254 ACLS with 1 Security ACE each OR
A combination based on the following rule:
num ACLs <= 254 && (num ACLs + num Security ACEs) <= 508
This maximum implies a single port on outPort ACLs.
256 IPv6 Egress ACLs (outPort):
256 ACLS with 1 Security ACE each OR
A combination based on the following rule:
num ACLs <= 256 && (num ACLs + num Security ACEs) <= 512
This maximum implies a single port on outPort ACLs.
The switch supports the following maximum limits for ACE scaling:
1,532 non-IPv6 ingress ACEs
This theoretical maximum implies
2 non-IPv6 ingress ACL with 383+384 Primary ACEs and 383+384 Secondary ACEs
no IPv6 ACLs configured
a single port on inPort ACLs, and a single VLAN on inVLAN ACLs
767 IPv6 ingress ACEs
This theoretical maximum implies
1 IPv6 ingress ACL with 767 Security ACEs
no non-IPv6 ACLs configured
a port member count of 1 for inPort ACLs
783 non-IPv6 egress ACEs.
This theoretical maximum implies
1 egress ACL with 783 Security ACEs
a port member count of 1 for outPort ACLs
Non IPv6 egress ACEs supported: 783 - num non-IPv6 egress ACLs
511 IPv6 egress ACEs
This theoretical maximum implies
1 egress ACL with 511 Security ACEs
a port member count of 1 for outPort ACLs
511 - num IPv6 egress ACLs
The number of private VLANs that you configure with an IP address influences the IPv4 Egress ACE count.
The following table lists scaling limits for Routed Private VLANs/E-TREEs. Limits are not enforced; either number of private VLANs or number of private VLAN trunk ports can go beyond the recommended values.
Private VLAN trunk ports |
Routed PVLANs/E-TREEs |
IPv4 Egress ACE rules available (No IPv6 egress filter bootflag enabled) |
IPv4 Egress ACE rules available (With IPv6 egress filter bootflag enabled) |
|
---|---|---|---|---|
VSP 4900 Series |
4 |
30 |
97 |
49 |
VSP 7400 Series |
4 |
50 |
532 |
20 |
resources consumed by Routed Private VLANs
free entries available for either IPv4 Egress ACEs or private VLANs
The following example output displays resource usage on a VSP 7400 Series for ten Routed Private VLANs with four private trunk members each.
Switch:1>show io resources filter ============================================================================= FILTER TABLE ============================================================================= ----------------------------------------------------------------------------- ACL Filter Resource Manager stats ---------------------------------------------------------------------------- BCM CAP Group: | ICAP_SEC | ICAP_QOS | ICAP_IPv6 | ECAP_SEC | ECAP_IPv6 Group Mode: | Double | Triple | Triple | Double | Double ---------------------------------------------------------------------------- Total Entries : | 767 | 767 | 767 | 782 | 512 Free Entries : | 767 | 767 | 767 | 732 | 512 In Use : | 0 | 0 | 0 | 50 | 0 Filter table: ----------------------------------------------------------------- ACL | |Port/Vlan| Sec | QoS | All | ID | Flags | Members | ACE's | ACE's | ACE's | Type ----------------------------------------------------------------- ----------------------------------------------------------------- Filter resources used by other features: ------------------------------------- Feature | Type | Number of entries | ------------------------------------- PVlan | ECAP | 50 | -------------------------------------