05-28-2013 06:51 AM - edited 03-10-2019 08:28 PM
hi guys, i'd to know if there is a real limitation in the number of lines that can be written in dAcl, in official documentation i couldn't find any info about that
Solved! Go to Solution.
05-28-2013 09:14 AM
Hello Renato,
I checked the latest user guide and you're correct it's not documented. DACL should not be more than 64 ACE's.
http://preview.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1219887
The below link says that the maximum limit on per-user ACL is 4000 ASCII characters.
Looks like there is a DOC defect filed on this as well
CSCud44176 DOC: Add Any key word must be the source in all DACL
The "Any" key word must be the source in all DACL. This is not a limitation of ISE, but of the IOS. This is documented in the config guide of the IOS
If possible can we add this note to the ISE User Guide in the DACL section.The length of the DACL is limited, but is not documented well. There is an internal (to Cisco) document that says the DACL's are limited to 64 lines, but does not speak to the limitation of 4000 char.
Jatin Katyal
- Do rate helpful posts -
05-28-2013 09:14 AM
Hello Renato,
I checked the latest user guide and you're correct it's not documented. DACL should not be more than 64 ACE's.
http://preview.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1219887
The below link says that the maximum limit on per-user ACL is 4000 ASCII characters.
Looks like there is a DOC defect filed on this as well
CSCud44176 DOC: Add Any key word must be the source in all DACL
The "Any" key word must be the source in all DACL. This is not a limitation of ISE, but of the IOS. This is documented in the config guide of the IOS
If possible can we add this note to the ISE User Guide in the DACL section.The length of the DACL is limited, but is not documented well. There is an internal (to Cisco) document that says the DACL's are limited to 64 lines, but does not speak to the limitation of 4000 char.
Jatin Katyal
- Do rate helpful posts -
05-28-2013 01:22 PM
The limitation comes from the fact that the dACL has to be delivered in a single RADIUS Accounting Packet and these packets have a 4096 byte limit, which equates to just under 4000 characters by the time you account for the 52-bytes of headers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide