This section provides more details on filter scaling numbers for the universal hardware platforms.
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 7 Primary Bank ACEs each OR
512 ACLs with 3 Secondary Bank ACEs each OR
a combination based on the following rule:
((num ACLs + num Primary Bank ACEs) <= 4096) && ((num ACLs + num Security Bank ACEs) <= 2048)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN.
The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
You can configure up to 1000 ACEs in a single ACL.
512 IPv6 ingress ACLs (inPort):
512 ACLs with 3 ACEs each OR
a combination based on the following rule:
(num ACLs + num ACEs + num of IPv4 Security Bank ACEs) <= 2048
The number of rules consumed by IPv6 inPort ACLs is multiplied by the number of ports to which this ACL applies.
256 egress ACLs (outPort only):
1 OR
a combination based on the following rule:
(num ACLs + num ACES) <=6000
6144 ingress ACEs
Ingress ACEs supported: (4096 Primary Bank - num ACLs) + (2048 Secondary Bank - num ACEs)
6000 egress ACEs
Egress ACEs supported: 6000 - num ACLs
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 5 Primary Bank ACEs each OR
512 ACLs with 2 Secondary Bank ACEs each OR
a combination based on the following rule:
( (num ACLs + num Primary Bank ACEs) <= 3072) && ((num ACLs + num Security Bank ACEs) <= 1536)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN.
The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
You can configure up to 1000 ACEs in a single ACL.
512 IPv6 ingress ACLs (inPort):
512 ACLs with 2 ACEs each OR
a combination based on the following rule:
(num ACLs + num ACEs + num of IPv4 Security Bank ACEs) <= 1536
The number of rules consumed by IPv6 inPort ACLs is multiplied by the number of ports to which this ACL applies.
256 egress ACLs (outPort only):
1 OR
a combination based on the following rule:
(num ACLs + num ACES) <=2982
4608 ingress ACEs
Ingress ACEs supported: (3072 Primary Bank - num ACLs) + (1536 Secondary Bank - num ACEs)
2982 egress ACEs
Egress ACEs supported: 2982 - num ACLs
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 1 Primary ACE each OR
256 ACLs with 1 Secondary ACE each OR
a combination based on the following rule:
((num ACLs + num Primary Bank ACEs) <= 1024) && ((num ACLs + num Secondary Bank ACEs) <= 512)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN. The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
Up to 1000 ACEs in a single ACL
512 IPv6 ingress ACLs (inPort):
512 ACLs with 1 ACE each OR
a combination based on the following rule:
(num ACLs + num ACEs + num IPv4 Security Bank ACEs) <= 512
The number of rules consumed by IPv6 ingress ACLs inPort ACLs is multiplied by the number of ports to which this ACL applies.
124 egress ACLs (outPort only):
124 ACLs with 1 ACE each (one of these ACLs can have 2 ACEs) OR
a combination based on the following rule:
(num ACLs + num ACEs) <= 248
This maximum implies a port member count of 1 for outPort ACLs.
1536 ingress ACEs:
Ingress ACEs supported: (1024 (Primary Bank) - # of ACLs) + (512 (Secondary Bank) - # of ACLs).
247 egress ACEs:
Egress ACEs supported: 248 - # of ACLs.
This maximum also implies a port member count of 1 for the outPort ACL.
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 3 Primary Bank ACEs each OR
512 ACLs with 1 Security Bank ACE each OR
a combination based on the following rule:
( (num ACLs + num Primary Bank ACEs) <= 2048) && ((num ACLs + num Secondary Bank ACEs) <= 1024)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN. The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
Up to 1000 ACEs in a single ACL
512 IPv6 ingress ACLs (inPort):
512 ACLs with 1 ACE each OR
a combination based on the following rule:
(num ACLs + num IPv6 ACEs + num IPv4 Secondary Bank ACEs) <= 1024
This maximum also implies a port member count of 1 for the inPort ACL. The number of rules consumed by IPv6 inPort ACLs is multiplied by the number of ports to which this ACL applies.
3072 ingress ACEs:
Theoretical maximum of 1024 implies 1 ingress ACL with 512 Primary Bank ACEs and 512 Secondary Bank ACEs
Ingress ACEs supported: (2048 (Primary Bank) - # of ACLs) + (1024 (Secondary Bank) - # of ACLs).
This maximum also implies a VLAN member count of 1 for an inVlan ACL.
400 egress ACEs:
Theoretical maximum of 400 implies 1 egress ACL with 400 ACEs
Egress ACEs supported: 400 - # of ACLs.
This maximum also implies a port member count of 1 for the outPort ACL.
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 5 ACEs each that can hold either Security/QoS/both action types or
a combination based on the following rule: ( (num ACLs + num ACEs) <= 3072)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN. The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
Up to 1000 ACEs in a single ACL
512 IPv6 ingress ACLs (inPort):
512 ACLs with 5 ACEs each that can hold either Security/QoS/both action types or
a combination based on the following rule: (num ACLs + num ACEs) <= 3072
This maximum also implies a port member count of 1 for the inPort ACL. The number of rules consumed by IPv6 inPort ACL is multiplied by the number of ports to which this ACL applies.
1024 ingress ACEs: All ACEs can hold either Security/QoS/both action types
This maximum also implies a VLAN member count of 1 for an inVlan ACL.
400 egress ACEs
This maximum also implies a port member count of 1 for the outPort ACL.
The number of private VLANs that you configure with an IP address influences the IPv4 Egress ACE count.
The following table lists scaling limits for Routed Private VLANs/E-TREEs. Limits are not enforced; either number of private VLANs or number of private VLAN trunk ports can go beyond the recommended values.
Private VLAN trunk ports |
Routed PVLANs/E-TREEs |
IPv4 Egress ACE rules available (No IPv6 egress filter bootflag enabled) |
IPv4 Egress ACE rules available (With IPv6 egress filter bootflag enabled) |
|
---|---|---|---|---|
5320-48T-8XE 5320-48P-8XE |
4 |
10 |
349 |
93 |
5320-16P-4XE 5320-16P-4XE-DC 5320-24P-8XE 5320-24T-8XE |
4 |
10 |
139 |
11 |
5420 Series |
4 |
10 |
349 |
93 |
5520 Series |
4 |
10 |
285 |
29 |
5720-24MW 5720-48MW |
4 |
100 |
2499 |
999 |
5720-24MXW 5720-48MXW |
4 |
100 |
5499 |
2499 |
resources consumed by Routed Private VLANs
free entries available for either IPv4 Egress ACEs or private VLANs
The following example output displays resource usage on a 5320 Series switch with one Routed Private VLAN and one outPort ACL.
Switch:1>show io resources filter ============================================================================= FILTER TABLE ============================================================================= ----------------------------------------------------------------------------- ACL Filter Resource Manager stats ---------------------------------------------------------------------------- BCM CAP Group: | ICAP_SEC_QOS | ICAP_IPv6 | ECAP_SEC | ECAP_IPv6 Group Mode: | Double | Double | Double | Double ---------------------------------------------------------------------------- Total Entries: | 1024 | 1024 | 247 | 128 Free Entries: | 1024 | 1024 | 243 | 128 In Use: | 0 | 0 | 4 | 0 Filter table: ----------------------------------------------------------------- ACL | |Port/Vlan| Sec | QoS | All | ID | Flags | Members | ACE's | ACE's | ACE's | Type ----------------------------------------------------------------- 1 |00002008| 1 | 0 | 0 | 1 | outPort, non-IPv6 ----------------------------------------------------------------- Filter resources used by other features: ------------------------------------- Feature | Type | Number of entries | ------------------------------------- PVlan | ECAP | 2 | -------------------------------------