cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4525
Views
0
Helpful
2
Replies

ISE and dAcl

renato.efrati
Level 1
Level 1

hi guys, i'd to know if there is a real limitation in the number of lines that can be written in dAcl, in official documentation i couldn't  find any info about that

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Hello Renato,

I checked the latest user guide and you're correct it's not documented. DACL should not be more than 64 ACE's.

http://preview.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1219887

The below link says that the maximum limit on per-user ACL is 4000 ASCII characters.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996

Looks like there is a DOC defect filed on this as well

CSCud44176    DOC: Add Any key word must be the source in all DACL

The "Any" key word must be the source in all DACL.  This is not a limitation of ISE, but of the IOS. This is documented in the config guide of the IOS

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996

If possible can we add this note to the ISE User Guide in the DACL section.The length of the DACL is limited, but is not documented well.  There is an internal (to Cisco) document that says the DACL's are limited to 64 lines, but does not speak to the limitation of 4000 char.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

Hello Renato,

I checked the latest user guide and you're correct it's not documented. DACL should not be more than 64 ACE's.

http://preview.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1219887

The below link says that the maximum limit on per-user ACL is 4000 ASCII characters.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996

Looks like there is a DOC defect filed on this as well

CSCud44176    DOC: Add Any key word must be the source in all DACL

The "Any" key word must be the source in all DACL.  This is not a limitation of ISE, but of the IOS. This is documented in the config guide of the IOS

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1264996

If possible can we add this note to the ISE User Guide in the DACL section.The length of the DACL is limited, but is not documented well.  There is an internal (to Cisco) document that says the DACL's are limited to 64 lines, but does not speak to the limitation of 4000 char.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Richard Atkin
Level 4
Level 4

The limitation comes from the fact that the dACL has to be delivered in a single RADIUS Accounting Packet and these packets have a 4096 byte limit, which equates to just under 4000 characters by the time you account for the 52-bytes of headers.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1133397

http://tools.ietf.org/html/rfc2866