https://community.cisco.com/t5/network-access-control/ise-and-dacl/m-p/2265242#M136206 <HTML><HEAD></HEAD><BODY><P>Hello Renato,</P><P></P><P>I checked the latest user guide and you're correct it's not documented. DACL should not be more than 64 ACE's. </P><P><A class="jive-link-external-small" href="http://preview.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1219887">http://preview.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1219887</A></P><P></P><P>The below link says that the maximum limit on per-user ACL is 4000 ASCII characters.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996">http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996</A></P><P></P><P>Looks like there is a DOC defect filed on this as well</P><P></P><P><A href="https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&amp;page=bstBugDetail&amp;BugID=CSCud44176" target="_blank">CSCud44176</A>&nbsp;&nbsp;&nbsp; DOC: Add Any key word must be the source in all DACL</P><P></P><P>The "Any" key word must be the source in all DACL.&nbsp; This is not a limitation of ISE, but of the IOS. This is documented in the config guide of the IOS</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996">http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996</A><SPAN> </SPAN></P><P></P><P>If possible can we add this note to the ISE User Guide in the DACL section.The length of the DACL is limited, but is not documented well.&nbsp; There is an internal (to Cisco) document that says the DACL's are limited to 64 lines, but does not speak to the limitation of 4000 char.</P><P></P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Tue, 28 May 2013 16:14:23 GMT Jatin Katyal 2013-05-28T16:14:23Z https://community.cisco.com/t5/network-access-control/ise-and-dacl/m-p/2265241#M136105 <P>hi guys, i'd to know if there is a real limitation in the number of lines that can be written in dAcl, in official documentation i couldn't&nbsp; find any info about that</P> Mon, 11 Mar 2019 03:28:25 GMT https://community.cisco.com/t5/network-access-control/ise-and-dacl/m-p/2265241#M136105 renato.efrati 2019-03-11T03:28:25Z https://community.cisco.com/t5/network-access-control/ise-and-dacl/m-p/2265242#M136206 <HTML><HEAD></HEAD><BODY><P>Hello Renato,</P><P></P><P>I checked the latest user guide and you're correct it's not documented. DACL should not be more than 64 ACE's. </P><P><A class="jive-link-external-small" href="http://preview.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1219887">http://preview.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1219887</A></P><P></P><P>The below link says that the maximum limit on per-user ACL is 4000 ASCII characters.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996">http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996</A></P><P></P><P>Looks like there is a DOC defect filed on this as well</P><P></P><P><A href="https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&amp;page=bstBugDetail&amp;BugID=CSCud44176" target="_blank">CSCud44176</A>&nbsp;&nbsp;&nbsp; DOC: Add Any key word must be the source in all DACL</P><P></P><P>The "Any" key word must be the source in all DACL.&nbsp; This is not a limitation of ISE, but of the IOS. This is documented in the config guide of the IOS</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996">http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996</A><SPAN> </SPAN></P><P></P><P>If possible can we add this note to the ISE User Guide in the DACL section.The length of the DACL is limited, but is not documented well.&nbsp; There is an internal (to Cisco) document that says the DACL's are limited to 64 lines, but does not speak to the limitation of 4000 char.</P><P></P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Tue, 28 May 2013 16:14:23 GMT https://community.cisco.com/t5/network-access-control/ise-and-dacl/m-p/2265242#M136206 Jatin Katyal 2013-05-28T16:14:23Z https://community.cisco.com/t5/network-access-control/ise-and-dacl/m-p/2265243#M136252 <HTML><HEAD></HEAD><BODY><P>The limitation comes from the fact that the dACL has to be delivered in a single RADIUS Accounting Packet and these packets have a 4096 byte limit, which equates to just under 4000 characters by the time you account for the 52-bytes of headers.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1133397">http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1133397</A></P><P></P><P><A class="jive-link-external-small" href="http://tools.ietf.org/html/rfc2866">http://tools.ietf.org/html/rfc2866</A></P></BODY></HTML> Tue, 28 May 2013 20:22:32 GMT https://community.cisco.com/t5/network-access-control/ise-and-dacl/m-p/2265243#M136252 Richard Atkin 2013-05-28T20:22:32Z