This section provides more details on filter scaling numbers for the universal hardware platforms.
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 5 ACEs each that can hold either Security/QoS/both action types or
a combination based on the following rule: ( (num ACLs + num ACEs) <= 3072)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN. The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
Up to 1000 ACEs in a single ACL
512 IPv6 ingress ACLs (inPort):
512 ACLs with 5 ACEs each that can hold either Security/QoS/both action types or
a combination based on the following rule: (num ACLs + num ACEs) <= 3072
This maximum also implies a port member count of 1 for the inPort ACL. The number of rules consumed by IPv6 inPort ACL is multiplied by the number of ports to which this ACL applies.
1024 ingress ACEs: All ACEs can hold either Security/QoS/both action types
This maximum also implies a VLAN member count of 1 for an inVlan ACL.
400 egress ACEs
This maximum also implies a port member count of 1 for the outPort ACL.
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 3 Primary Bank ACEs each OR
512 ACLs with 1 Security Bank ACE each OR
a combination based on the following rule:
( (num ACLs + num Primary Bank ACEs) <= 2048) && ((num ACLs + num Secondary Bank ACEs) <= 1024)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN. The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
Up to 1000 ACEs in a single ACL
512 IPv6 ingress ACLs (inPort):
512 ACLs with 1 ACE each OR
a combination based on the following rule:
(num ACLs + num IPv6 ACEs + num IPv4 Secondary Bank ACEs) <= 1024
This maximum also implies a port member count of 1 for the inPort ACL. The number of rules consumed by IPv6 inPort ACLs is multiplied by the number of ports to which this ACL applies.
3072 ingress ACEs:
Theoretical maximum of 1024 implies 1 ingress ACL with 512 Primary Bank ACEs and 512 Secondary Bank ACEs
Ingress ACEs supported: (2048 (Primary Bank) - # of ACLs) + (1024 (Secondary Bank) - # of ACLs).
This maximum also implies a VLAN member count of 1 for an inVlan ACL.
400 egress ACEs:
Theoretical maximum of 400 implies 1 egress ACL with 400 ACEs
Egress ACEs supported: 400 - # of ACLs.
This maximum also implies a port member count of 1 for the outPort ACL.
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 1 Primary ACE each OR
256 ACLs with 1 Secondary ACE each OR
a combination based on the following rule:
((num ACLs + num Primary Bank ACEs) <= 1024) && ((num ACLs + num Secondary Bank ACEs) <= 512)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN. The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
Up to 1000 ACEs in a single ACL
512 IPv6 ingress ACLs (inPort):
512 ACLs with 1 ACE each OR
a combination based on the following rule:
(num ACLs + num ACEs + num IPv4 Security Bank ACEs) <= 512
The number of rules consumed by IPv6 ingress ACLs inPort ACLs is multiplied by the number of ports to which this ACL applies.
124 egress ACLs (outPort only):
124 ACLs with 1 ACE each (one of these ACLs can have 2 ACEs) OR
a combination based on the following rule:
(num ACLs + num ACEs) <= 248
This maximum implies a port member count of 1 for outPort ACLs.
1536 ingress ACEs:
Ingress ACEs supported: (1024 (Primary Bank) - # of ACLs) + (512 (Secondary Bank) - # of ACLs).
247 egress ACEs:
Egress ACEs supported: 248 - # of ACLs.
This maximum also implies a port member count of 1 for the outPort ACL.
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 5 Primary Bank ACEs each OR
512 ACLs with 2 Secondary Bank ACEs each OR
a combination based on the following rule:
( (num ACLs + num Primary Bank ACEs) <= 3072) && ((num ACLs + num Security Bank ACEs) <= 1536)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN.
The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
You can configure up to 1000 ACEs in a single ACL.
512 IPv6 ingress ACLs (inPort):
512 ACLs with 2 ACEs each OR
a combination based on the following rule:
(num ACLs + num ACEs + num of IPv4 Security Bank ACEs) <= 1536
The number of rules consumed by IPv6 inPort ACLs is multiplied by the number of ports to which this ACL applies.
256 egress ACLs (outPort only):
1 OR
a combination based on the following rule:
(num ACLs + num ACES) <=2982
4608 ingress ACEs
Ingress ACEs supported: (3072 Primary Bank - num ACLs) + (1536 Secondary Bank - num ACEs)
2982 egress ACEs
Egress ACEs supported: 2982 - num ACLs
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 7 Primary Bank ACEs each OR
512 ACLs with 3 Secondary Bank ACEs each OR
a combination based on the following rule:
((num ACLs + num Primary Bank ACEs) <= 4096) && ((num ACLs + num Security Bank ACEs) <= 2048)
This maximum implies a VLAN member count of 1 for inVlan ACLs or a single I-SID for inVSN.
The number of rules consumed by IPv4 inPort ACLs is not multiplied by the number of ports to which this ACL applies.
You can configure up to 1000 ACEs in a single ACL.
512 IPv6 ingress ACLs (inPort):
512 ACLs with 3 ACEs each OR
a combination based on the following rule:
(num ACLs + num ACEs + num of IPv4 Security Bank ACEs) <= 2048
The number of rules consumed by IPv6 inPort ACLs is multiplied by the number of ports to which this ACL applies.
256 egress ACLs (outPort only):
1 OR
a combination based on the following rule:
(num ACLs + num ACES) <=6000
6144 ingress ACEs
Ingress ACEs supported: (4096 Primary Bank - num ACLs) + (2048 Secondary Bank - num ACEs)
6000 egress ACEs
Egress ACEs supported: 6000 - num ACLs
The switch supports the following maximum limits for ACL scaling:
512 non-IPv6 ingress ACLs (inVSN, inPort, or inVlan):
256 ACLs with 1 Primary ACE each + 256 ACLs with 1 Secondary ACE each OR
383 ACLs with 1 Primary ACE each and/or 1 Secondary ACE each OR
a combination based on the following rule:
num ACLs <= 512 && (num ACLs + num Primary ACEs) <= 767 && (num ACLs + num Secondary ACEs) <= (767 – X) where X = num IPv6 ACLs + num IPv6 ACEs
For Primary bank, maximum implies a single port on inPort ACLs, a single I-SID for in VSN, and a single VLAN on inVlan ACLs.
For Secondary bank, inPort ACLs number of consumed rules is not multiplied by the number of ports attached to the ACL.
383 IPv6 ingress ACLs (inPort):
383 IPv6 ACLs with 1 ACE each OR
A combination based on the following rule:
num IPv6 ACLs <= 383 && (num IPv6 ACLs + num ACEs) <= (767 – X) where X = num non-IPv6 ACLs + num non-IPv6 Secondary ACEs
This maximum implies a single port on inPort ACLs.
254 non-IPv6 egress ACLs (outPort):
254 ACLS with 1 Security ACE each OR
A combination based on the following rule:
num ACLs <= 254 && (num ACLs + num Security ACEs) <= 508
This maximum implies a single port on outPort ACLs.
256 IPv6 Egress ACLs (outPort):
256 ACLS with 1 Security ACE each OR
A combination based on the following rule:
num ACLs <= 256 && (num ACLs + num Security ACEs) <= 512
This maximum implies a single port on outPort ACLs.
The switch supports the following maximum limits for ACE scaling:
1,532 non-IPv6 ingress ACEs
This theoretical maximum implies
2 non-IPv6 ingress ACL with 383+384 Primary ACEs and 383+384 Secondary ACEs
no IPv6 ACLs configured
a single port on inPort ACLs, and a single VLAN on inVLAN ACLs
767 IPv6 ingress ACEs
This theoretical maximum implies
1 IPv6 ingress ACL with 767 Security ACEs
no non-IPv6 ACLs configured
a port member count of 1 for inPort ACLs
783 non-IPv6 egress ACEs.
This theoretical maximum implies
1 egress ACL with 783 Security ACEs
a port member count of 1 for outPort ACLs
Non IPv6 egress ACEs supported: 783 - num non-IPv6 egress ACLs
511 IPv6 egress ACEs
This theoretical maximum implies
1 egress ACL with 511 Security ACEs
a port member count of 1 for outPort ACLs
511 - num IPv6 egress ACLs
The switch supports the following maximum limits for ACL scaling:
512 non-IPv6 ingress ACLs (inVSN, inPort, or inVlan):
256 ACLs with 1 Primary ACE each + 256 ACLs with 1 Secondary ACE each OR
383 ACLs with 1 Primary ACE each and/or 1 Secondary ACE each OR
a combination based on the following rule:
num ACLs <= 512 && (num ACLs + num Primary ACEs) <= 767 && (num ACLs + num Secondary ACEs) <= (767 – X) where X = num IPv6 ACLs + num IPv6 ACEs
For Primary bank, maximum implies a single port on inPort ACLs, a single I-SID for in VSN, and a single VLAN on inVlan ACLs.
For Secondary bank, inPort ACLs number of consumed rules is not multiplied by the number of ports attached to the ACL.
383 IPv6 ingress ACLs (inPort):
383 IPv6 ACLs with 1 ACE each OR
A combination based on the following rule:
num IPv6 ACLs <= 383 && (num IPv6 ACLs + num ACEs) <= (767 – X) where X = num non-IPv6 ACLs + num non-IPv6 Secondary ACEs
This maximum implies a single port on inPort ACLs.
254 non-IPv6 egress ACLs (outPort):
254 ACLS with 1 Security ACE each OR
A combination based on the following rule:
num ACLs <= 254 && (num ACLs + num Security ACEs) <= 508
This maximum implies a single port on outPort ACLs.
256 IPv6 Egress ACLs (outPort):
256 ACLS with 1 Security ACE each OR
A combination based on the following rule:
num ACLs <= 256 && (num ACLs + num Security ACEs) <= 512
This maximum implies a single port on outPort ACLs.
The switch supports the following maximum limits for ACE scaling:
1,532 non-IPv6 ingress ACEs
This theoretical maximum implies
2 non-IPv6 ingress ACL with 383+384 Primary ACEs and 383+384 Secondary ACEs
no IPv6 ACLs configured
a single port on inPort ACLs, and a single VLAN on inVLAN ACLs
767 IPv6 ingress ACEs
This theoretical maximum implies
1 IPv6 ingress ACL with 767 Security ACEs
no non-IPv6 ACLs configured
a port member count of 1 for inPort ACLs
783 non-IPv6 egress ACEs.
This theoretical maximum implies
1 egress ACL with 783 Security ACEs
a port member count of 1 for outPort ACLs
Non IPv6 egress ACEs supported: 783 - num non-IPv6 egress ACLs
511 IPv6 egress ACEs
This theoretical maximum implies
1 egress ACL with 511 Security ACEs
a port member count of 1 for outPort ACLs
511 - num IPv6 egress ACLs
The number of private VLANs that you configure with an IP address influences the IPv4 Egress ACE count.
The following table lists scaling limits for Routed Private VLANs/E-TREEs. Limits are not enforced; either number of private VLANs or number of private VLAN trunk ports can go beyond the recommended values.
Private VLAN trunk ports |
Routed PVLANs/E-TREEs |
IPv4 Egress ACE rules available (No IPv6 egress filter bootflag enabled) |
IPv4 Egress ACE rules available (With IPv6 egress filter bootflag enabled) |
|
---|---|---|---|---|
5320-48T-8XE 5320-48P-8XE |
4 |
10 |
349 |
93 |
5320-16P-4XE 5320-16P-4XE-DC 5320-24P-8XE 5320-24T-8XE |
4 |
10 |
139 |
11 |
5420 Series |
4 |
10 |
349 |
93 |
5520 Series |
4 |
10 |
285 |
29 |
5720-24MW 5720-48MW |
4 |
100 |
2499 |
999 |
5720-24MXW 5720-48MXW |
4 |
100 |
5499 |
2499 |
7520 Series |
4 |
50 |
783 |
271 |
7720 Series |
4 |
50 |
783 |
271 |
resources consumed by Routed Private VLANs
free entries available for either IPv4 Egress ACEs or private VLANs
The following example output displays resource usage on a 5320 Series switch with one Routed Private VLAN and one outPort ACL.
Switch:1>show io resources filter ============================================================================= FILTER TABLE ============================================================================= ----------------------------------------------------------------------------- ACL Filter Resource Manager stats ---------------------------------------------------------------------------- BCM CAP Group: | ICAP_SEC_QOS | ICAP_IPv6 | ECAP_SEC | ECAP_IPv6 Group Mode: | Double | Double | Double | Double ---------------------------------------------------------------------------- Total Entries: | 1024 | 1024 | 247 | 128 Free Entries: | 1024 | 1024 | 243 | 128 In Use: | 0 | 0 | 4 | 0 Filter table: ----------------------------------------------------------------- ACL | |Port/Vlan| Sec | QoS | All | ID | Flags | Members | ACE's | ACE's | ACE's | Type ----------------------------------------------------------------- 1 |00002008| 1 | 0 | 0 | 1 | outPort, non-IPv6 ----------------------------------------------------------------- Filter resources used by other features: ------------------------------------- Feature | Type | Number of entries | ------------------------------------- PVlan | ECAP | 2 | -------------------------------------