Thank You all for you responses

Checking my switches, these seem to be the hard TCAM limits.

9400 = 18432
9300 = 5120
4500 = 4096
3850 = 3072
3560x = 924
2960 = 384

deleted

For future reference, please disregard the feedback on dACL size limitation:

• dACLs are not delivered via accounting packets
• Longer dACLs may be fragmented across multiple requests from a switch to a policy server

Cheers,

Einar

As often the case, there is a grain of truth in each source of information, but often that truth becomes distorted in translation!

The first point of confusion is the references to RADIUS Accounting (RFC 2866).  These references are incorrect and instead should be a reference simply to RADIUS (RFC 2865).  Per-User ACLs and downloadable ACLs (dACLs) do not use RADIUS Accounting, but RADIUS auth for transmitting ACL content.  That said, there is still a single packet maximum of 4096 bytes for RADIUS packets, notwithstanding RFCs advocating support for larger RADIUS packets.

The second point of confusion is that there is a functional difference between Per-User ACLs and downloadable ACLs (dACLs).  Per-User ACLs are sent via RADIUS auth and Access Control Entries (ACEs) are returned as individual vendor-specific attributes (VSAs) in Access-Accept messages.  These are the ACL type which appear to be most commonly referenced in the Cisco documentation and communities.  However, these are distinct from dACLs which are an optimization to the RADIUS authorization process. 

More specifically, unlike Per-User ACLs which use a direct authorization response to a Cisco switch, for example, where the AAA server returns all of the VSAs in an authorization response (Access Accept packet), dACLs use a flow where the AAA server first sends down the name of the dACL as an authorization.  The switch then makes a separate RADIUS auth request for the ACL by name. If the dACL contents have changed since a prior download (as tracked by the dACL hash extension), the current dACL contents are sent down to the RADIUS client (ex: switch). Unlike per-user ACLs that are limited to a single Access-Accept packet (max 4096 bytes), dACL contents can be returned over multiple packets, thus not limited to the same 4096-byte size restrictions as Per-User ACLs. 

Hope that clarifies the sources of prior responses, each holding a bit of fact, but easily confused without understanding terminology and specific use cases.

Craig

Hi Craig,

 Can you screenshot the per-user and dACL to clarify where each is configured?

Thanks,

Brian

Brian, Before creating new sample entries in ISE from scratch, I did a quick search and found a site that posted decent ISE configuration examples of a dACL, Per-User ACL, as well as the IETF standard ACL (Filter-Id): Delivering ACLs for MAB/DOT1x Authentication 

Per-User ACLs are rarely used.  There was a time you could leverage them in multi-match policy rule set to allow ACL entries from multiple policy rules to be concatenated into a single ACL by matching individual rules.  This rule logic was removed in earlier ISE 2.x releases so not seen too often.  I recall ASA Remote Access VPN also supporting such logic with Dynamic Access Policy (DAP).  In any case, they are nice in that they allow central configuration, but you rarely see them deployed in production due to the availability of dACLs which can scale larger, detect ACE modifications, and simpler to configure.  The ISE interface allows contents to be copied and pasted from another source as text rather than entered as singular AV-pair entries in Advanced Settings, and ISE dACLs include a syntax checker.  

Filter-ID is still used, but primarily with 3rd-party equipment that lack dACL support. A major downside of the IETF Filter-Id option is that the ACL must be pre-configured on each access device before it can be referenced in an authorization response.

Hope this helps.