Filter Scaling

This section provides more details on filter scaling numbers for the universal hardware platforms.

5520 Series

The switch supports the following maximum limits:

512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
- 512 ACLs with 1 security ACE each OR
- 256 ACLs with 1 QoS ACE each OR
- a combination based on the following rule:
  - ( (num ACLs + num security ACEs) <= 1024) && ((num ACLs + num QoS ACEs) <= 512)
This maximum implies a VLAN member count of 1 for inVlan ACLs. This maximum also implies a port member count of 1 for the inPort ACL. The number of rules consumed by inPort ACL is multiplied by the number of ports to which this ACL applies.
512 IPv6 ingress ACLs (inPort):
- 512 ACLs with 1 security ACE each OR
- a combination based on the following rule:
  - (num ACLs + num security ACEs) <= 512
This maximum also implies a port member count of 1 for the inPort ACL. The number of rules consumed by inPort ACL is multiplied by the number of ports to which this ACL applies.
124 egress ACLs (outPort only):
- 124 ACLs with 1 security ACE each (one of these ACLs can have 2 ACEs) OR
- a combination based on the following rule:
  - (num ACLs + num ACEs) <= 248
This maximum implies a port member count of 1 for outPort ACLs.
1024 ingress ACEs:

Theoretical maximum of 1024 implies 1 ingress ACL with 512 security ACEs and 512 QoS ACEs
- Ingress ACEs supported: (512 (security) - # of ACLs) + (512 (QoS) - # of ACLs).
This maximum also implies a VLAN member count of 1 for an inVlan ACL.
247 egress ACEs:

Theoretical maximum of 247 implies 1 egress ACL with 247 security ACEs
- Egress ACEs supported: 248 - # of ACLs.
This maximum also implies a port member count of 1 for the outPort ACL.

5420 Series

The switch supports the following maximum limits:

512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
- 512 ACLs with 1 security ACE each OR
- 256 ACLs with 1 QoS ACE each OR
- a combination based on the following rule:
  - ( (num ACLs + num security ACEs) <= 1024) && ((num ACLs + num QoS ACEs) <= 512)
This maximum implies a VLAN member count of 1 for inVlan ACLs. This maximum also implies a port member count of 1 for the inPort ACL. The number of rules consumed by inPort ACL is multiplied by the number of ports to which this ACL applies.
512 IPv6 ingress ACLs (inPort):
- 512 ACLs with 1 security ACE each OR
- a combination based on the following rule:
  - (num ACLs + num security ACEs) <= 512
This maximum also implies a port member count of 1 for the inPort ACL. The number of rules consumed by inPort ACL is multiplied by the number of ports to which this ACL applies.
1024 ingress ACEs:

Theoretical maximum of 1024 implies 1 ingress ACL with 512 security ACEs and 512 QoS ACEs
- Ingress ACEs supported: (512 (security) - # of ACLs) + (512 (QoS) - # of ACLs).
This maximum also implies a VLAN member count of 1 for an inVlan ACL.
400 egress ACEs:

Theoretical maximum of 400 implies 1 egress ACL with 400 security ACEs
- Egress ACEs supported: 400 - # of ACLs.
This maximum also implies a port member count of 1 for the outPort ACL.

5320 Series

The switch supports the following maximum limits:

512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
- 512 ACLs with 1 ACE each that can hold either Security/QoS/both action types or
- a combination based on the following rule: ( (num ACLs + num ACEs) <= 1024)
This maximum implies a VLAN member count of 1 for inVlan ACLs.

This maximum also implies a port member count of 1 for the inPort ACL.

The number of rules consumed by inPort ACL is multiplied by the number of ports to which this ACL applies.
512 IPv6 ingress ACLs (inPort):
- 512 ACLs with 1 ACE each that can hold either Security/QoS/both action types or
- a combination based on the following rule: (num ACLs + num ACEs) <= 1024
This maximum also implies a port member count of 1 for the inPort ACL.

The number of rules consumed by inPort ACL is multiplied by the number of ports to which this ACL applies.
1024 ingress ACEs: All ACEs can hold either Security/QoS/both action types

This maximum also implies a VLAN member count of 1 for an inVlan ACL.
400 egress ACEs

This maximum also implies a port member count of 1 for the outPort ACL.

Routed Private VLANs/E-TREEs Scaling

The number of private VLANs that you configure with an IP address influences the IPv4 Egress ACE count.

The following table lists scaling limits for Routed Private VLANs/E-TREEs. Limits are not enforced; either number of private VLANs or number of private VLAN trunk ports can go beyond the recommended values.

Table 1. Routed Private VLANs/E-TREEs Maximums
	Private VLAN trunk ports	Routed PVLANs/E-TREEs	IPv4 Egress ACE rules available (No IPv6 egress filter bootflag enabled)	IPv4 Egress ACE rules available (With IPv6 egress filter bootflag enabled)
5320-48T-8XE 5320-48P-8XE	4	10	349	93
5320-16P-4XE 5320-16P-4XE-DC 5320-24P-8XE 5320-24T-8XE	4	10	139	11
5420 Series	4	10	349	93
5520 Series	4	10	285	29

Use the show io resources filter command to verify remaining resources. This command displays the following information:

resources consumed by Routed Private VLANs
free entries available for either IPv4 Egress ACEs or private VLANs

The following example output displays resource usage on a 5320 Series switch with one Routed Private VLAN and one outPort ACL.

Switch:1>show io resources filter
=============================================================================
                                  FILTER TABLE
=============================================================================
-----------------------------------------------------------------------------
ACL Filter Resource Manager stats
----------------------------------------------------------------------------
BCM CAP Group: |  ICAP_SEC_QOS | ICAP_IPv6 | ECAP_SEC  | ECAP_IPv6
    Group Mode: | Double        | Double    | Double    | Double
----------------------------------------------------------------------------
Total Entries: |      1024     |    1024   |     247   |     128
  Free Entries: |      1024     |    1024   |     243   |     128
        In Use: |         0     |       0   |       4   |       0
Filter table:
-----------------------------------------------------------------
  ACL |        |Port/Vlan|  Sec  |  QoS  |  All  |
  ID  | Flags  | Members | ACE's | ACE's | ACE's | Type
-----------------------------------------------------------------
    1 |00002008|      1  |    0  |    0  |    1  | outPort, non-IPv6
-----------------------------------------------------------------

Filter resources used by other features:
-------------------------------------
Feature | Type | Number of entries |
-------------------------------------
  PVlan  | ECAP |          2        |
-------------------------------------