Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4580
Views
18
Helpful
4
Replies

DACLs in ISE

cajones
Level 1
Level 1

‎07-01-2016 02:35 PM - edited ‎03-10-2019 11:54 PM

Is there a size limitation on DACLs?  Is there a way to create something like an object group within DACLs so they are not so large?

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎07-02-2016 01:11 AM

There are different limitations that can apply based on RADIUS and the switch-model:

  • The whole dACL can not exceed 4000 characters as it has to fit into one RADIUS packet.
  • up to 64 lines in a single dACL (you should have far less lines in practice).
  • The total amount of ACEs the switch can store in it's TCAM. That can range from only a few hundreds on the low end switches and a few thousands on the more expensive models. This can often be adjusted by choosing the right SDM-template.

cajones
Level 1
Level 1
In response to Karsten Iwen

‎07-05-2016 10:09 AM

Thank you both very much.  This is great information.

0 Helpful

chyps
Level 1
Level 1
In response to Karsten Iwen

‎06-18-2024 06:32 AM

While I don't make a normal practice of correcting old entries in the Cisco community, I discovered the info provided in this thread is not correct and appears to be the predominant response still returned by some search engines when asking the question about dACL size limits. 

  • Cisco dACLs are NOT limited to 4000 characters in a single packet. While true that the size of RADIUS packets are limited, dACLs are not limited to a single packet. The contents of a dACL may be sent over multiple packets if needed. In other words, no hard limit on dACL characters.
  • "Up to 64 lines in a single dACL" is a common best practice tip in various Cisco technical documents, but is NOT an actual limit. Best practices speak to the question of cumulative TCAM usage in the switch which would more likely be exceeded if attempting to send multiple unique dACLs to a switch with many ACL entries. Actual limits are highly variable based on switch TCAM capacity, number of unique dACLs sent, and the size of each unique dACL. 

For additional references on this topic, see:

nspasov
Cisco Employee
Cisco Employee

‎07-02-2016 07:37 AM

To add to the the great info already provided by Karsten:

- The DACLs should be kept short and simple. I have done many ISE deployments and 99% of the time the DACLs did not exceed 4 lines

- If DACLs start growing out of control then you should consider TrustSect/SGA/SGT

- Also, while not ideal, you can use VLAN override and then perform restriction(s) on a distribution type switch, Firewall, etc.

I hope this helps!

Thank you for rating helpful posts!

Customers Also Viewed These Support Documents