This section provides more details on filter scaling numbers for the supported platforms.
The switch supports the following maximum limits:
220 IPv4 ingress ACLs
50 IPv4 egress ACLs
128 IPv6 ingress ACLs
1,020 IPv4 ingress ACEs
252 IPv4 egress ACEs
255 IPv6 ingress ACEs
255 IPv6 egress ACEs
Note
You can configure up to 1000 ACEs in a single ACL.
The switch supports the following maximum limits regarding ingress ACLs (inPort or inVlan):
256 ( InPort security ACE + ACL) + 256 (inVlan security ACE +ACL) + 256 (inPort QoS ACE + ACL) + 256 (inVlan QoS ACE + ACL)
The switch supports the following maximum limits:
512 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
512 ACLs with 1 security ACE each OR
256 ACLs with 1 QoS ACE each OR
a combination based on the following rule:
( (num ACLs + num security ACEs) <= 1024) && ((num ACLs + num QoS ACEs) <= 512)
This maximum implies a VLAN member count of 1 for inVlan ACLs
512 IPv6 ingress ACLs (inPort):
512 ACLs with 1 security ACE each OR
a combination based on the following rule:
(num ACLs + num security ACEs) <= 512
124 egress ACLs (outPort only):
124 ACLs with 1 security ACE each (one of these ACLs can have 2 ACEs) OR
a combination based on the following rule:
(num ACLs + num ACEs) <= 248
This maximum implies a port member count of 1 for outPort ACLs.
1534 ingress ACEs:
Theoretical maximum of 1534 implies 1 ingress ACL with 1023 security ACEs and 511 QoS ACEs
Ingress ACEs supported: (1024 (security) - # of ACLs) + (512 (QoS) - # of ACLs).
This maximum also implies a VLAN member count of 1 for an inVlan ACL.
247 egress ACEs:
Theoretical maximum of 247 implies 1 egress ACL with 247 security ACEs
Egress ACEs supported: 248 - # of ACLs.
This maximum also implies a port member count of 1 for the outPort ACL.
The switch supports the following maximum limits for ACL scaling:
512 non-IPv6 ingress ACLs (inVSN, inPort, or inVlan):
256 ACLs with 1 Primary ACE each + 256 ACLs with 1 Secondary ACE each OR
383 ACLs with 1 Primary ACE each and/or 1 Secondary ACE each OR
a combination based on the following rule:
num ACLs <= 512 && (num ACLs + num Primary ACEs) <= 767 && (num ACLs + num Secondary ACEs) <= (767 – X) where X = num IPv6 ACLs + num IPv6 ACEs
For Primary bank, maximum implies a single port on inPort ACLs, a single I-SID for in VSN, and a single VLAN on inVlan ACLs.
For Secondary bank, inPort ACLs number of consumed rules is not multiplied by the number of ports attached to the ACL.
383 IPv6 ingress ACLs (inPort):
383 IPv6 ACLs with 1 ACE each OR
A combination based on the following rule:
num IPv6 ACLs <= 383 && (num IPv6 ACLs + num ACEs) <= (767 – X) where X = num non-IPv6 ACLs + num non-IPv6 Secondary ACEs
This maximum implies a single port on inPort ACLs.
254 non-IPv6 egress ACLs (outPort):
254 ACLS with 1 Security ACE each OR
A combination based on the following rule:
num ACLs <= 254 && (num ACLs + num Security ACEs) <= 508
This maximum implies a single port on outPort ACLs.
256 IPv6 Egress ACLs (outPort):
256 ACLS with 1 Security ACE each OR
A combination based on the following rule:
num ACLs <= 256 && (num ACLs + num Security ACEs) <= 512
This maximum implies a single port on outPort ACLs.
The switch supports the following maximum limits for ACE scaling:
1,532 non-IPv6 ingress ACEs
This theoretical maximum implies
2 non-IPv6 ingress ACL with 383+384 Primary ACEs and 383+384 Secondary ACEs
no IPv6 ACLs configured
a single port on inPort ACLs, and a single VLAN on inVLAN ACLs
767 IPv6 ingress ACEs
This theoretical maximum implies
1 IPv6 ingress ACL with 767 Security ACEs
no non-IPv6 ACLs configured
a port member count of 1 for inPort ACLs
783 non-IPv6 egress ACEs.
This theoretical maximum implies
1 egress ACL with 783 Security ACEs
a port member count of 1 for outPort ACLs
Non IPv6 egress ACEs supported: 783 - num non-IPv6 egress ACLs
511 IPv6 egress ACEs
This theoretical maximum implies
1 egress ACL with 511 Security ACEs
a port member count of 1 for outPort ACLs
511 - num IPv6 egress ACLs
The switch supports the following maximum limits:
256 non-IPv6 ingress ACLs (inPort, inVSN, or inVlan):
256 ACLs with 1 security ACE each OR
128 ACLs with 1 QoS ACE each OR
a combination based on the following rule:
( (num ACLs + num security ACEs) <= 512) && ((num ACLs + num QoS ACEs) <= 256)
This maximum implies a VLAN member count of 1 for inVlan ACLs
256 IPv6 ingress ACLs (inPort,):
256 ACLs with 1 security ACE each OR
256 ACLs with 1 QoS ACE each OR
a combination based on the following rule:
(num ACLs + num security ACEs) <= 256
124 egress ACLs (outPort only):
124 ACLs with 1 security ACE each (one of these ACLs can have 2 ACEs)
This maximum implies a port member count of 1 for outPort ACLs.
766 ingress ACEs:
Theoretical maximum of 766 implies 1 ingress ACL with 511 security ACEs and 255 QoS ACEs
Ingress ACEs supported: (512 (security) - # of ACLs) + (256(QoS) - # of ACLs).
This maximum also implies a VLAN member count of 1 for an inVlan ACL.
252 egress ACEs:
Theoretical maximum of 252 implies 1 egress ACL with 252 security ACEs
Egress ACEs supported: 253 - # of ACLs.
This maximum also implies a port member count of 1 for the outPort ACL.
The switch supports a maximum 3,070 non-IPv6 ingress ACEs, 2,047 IPv6 ingress ACEs, and 251 non-IPv6 egress ACEs.
IPv6 ingress and IPv6 egress QoS ACL/Filters are not supported. If you disable an ACL, the ACL state affects the administrative state of all of the ACEs within it.
The switch supports the following maximum limits for ACL scaling:
1,024 non-IPv6 ingress ACLs (inPort, inVlan, or InVSN):
1,024 ACLs with 1 security ACE each OR
a combination based on the following rule:
num of ACLs <= 1,024 AND (num of ACLs + Security ACEs) <= 2,048 AND (num of ACLs + QoS ACEs) <= 1,024
This maximum implies a VLAN member count of 1 for inVlan ACLs.
1,024 IPv6 ingress ACLs (inPort):
1,024 IPv6 ACLs with 1 security ACE each OR
a combination based on the following rule:
num of IPv6 ACLs <= 1,024 AND (num of IPv6 ACLs + Security ACEs) <= 2,048
126 non-IPv6 egress ACLs (outPort):
126 ACLs with 1 Security ACE each OR
a combination based on the following rule:
num ACLs <= 126 AND num ACLs + num security ACEs) <= 252
This maximum implies a port member counter of 1 for outPort ACLs.
The switch supports the following maximum limits for ACE scaling:
3,070 non-IPv6 ingress ACEs:
The theoretical maximum implies the following configuration:
1 non-IPv6 ingress ACL with 2,047 security ACEs and 1,023 QoS ACEs
a VLAN member count of 1 for inVlan ACLs
Non-IPv6 Ingress ACEs supported: [2,048(security) - (num of ACLs)] + [1,024(QoS) - (num of ACLs)]
2,047 IPv6 ingress ACEs:
The theoretical maximum implies the following configuration:
1 IPv6 ingress ACL with 2,047 security ACEs
IPv6 Ingress ACEs supported: [2,048(security) - (num of ACLs)]
251 non-IPv6 egress ACEs:
The theoretical maximum implies the following configuration:
1 egress ACL with 251 security ACEs
a port member count of 1 for outPort ACLs
Non IPv6 egress ACEs supported: 252 - (num egress ACLs)
The switch supports the following maximum limits:
500 IPv4 ingress ACLs
500 IPv4 egress ACLs
500 IPv4 ingress ACEs
500 IPv4 egress ACEs
The number of private VLANs that you configure with an IP address influences the IPv4 Egress ACE count.
The following table lists scaling limits for Routed Private VLANs/E-TREEs. Limits are not enforced; either number of private VLANs or number of private VLAN trunk ports can go beyond the recommended values.
|
Private VLAN trunk ports |
Routed PVLANs/E-TREEs |
IPv4 Egress ACE rules available (No IPv6 egress filter bootflag enabled) |
IPv4 Egress ACE rules available (With IPv6 egress filter bootflag enabled) |
|
|---|---|---|---|---|
|
VSP 4900 Series |
4 |
30 |
97 |
49 |
|
VSP 7200 Series |
4 |
10 |
147 |
99 |
|
VSP 7400 Series |
4 |
50 |
532 |
20 |
|
VSP 8200 Series |
4 |
10 |
181 |
129 |
|
VSP 8400 Series |
4 |
10 |
181 |
129 |
resources consumed by Routed Private VLANs
free entries available for either IPv4 Egress ACEs or private VLANs
The following example output displays resource usage on a VSP 7400 Series for ten Routed Private VLANs with four private trunk members each.
Switch:1>show io resources filter
=============================================================================
FILTER TABLE
=============================================================================
-----------------------------------------------------------------------------
ACL Filter Resource Manager stats
----------------------------------------------------------------------------
BCM CAP Group: | ICAP_SEC | ICAP_QOS | ICAP_IPv6 | ECAP_SEC | ECAP_IPv6
Group Mode: | Double | Triple | Triple | Double | Double
----------------------------------------------------------------------------
Total Entries : | 767 | 767 | 767 | 782 | 512
Free Entries : | 767 | 767 | 767 | 732 | 512
In Use : | 0 | 0 | 0 | 50 | 0
Filter table:
-----------------------------------------------------------------
ACL | |Port/Vlan| Sec | QoS | All |
ID | Flags | Members | ACE's | ACE's | ACE's | Type
-----------------------------------------------------------------
-----------------------------------------------------------------
Filter resources used by other features:
-------------------------------------
Feature | Type | Number of entries |
-------------------------------------
PVlan | ECAP | 50 |
-------------------------------------