03-24-2021 06:03 AM
Hey,
I've seen it documented that the SGACL size cannot exceed 6KB - "Dynamic SGACL download size is limited to 6 KB" (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16-7/sec-usr-cts-xe-16-7-book/sec-cts-sgacl.pdf).
In other documents, I've seen that it cannot exceed 6KB per DGT - "Dynamic SGACL download is limited to 6KB per destination group tag" (https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-6/release_notes/ol-16-6-3650.html).
What does it mean? That the total bytes of all the SGACL that are downloaded are 6KB or each SGACL is 6KB?
If I apply the same SGACL several times in the Trustsec matrix, does it count for the total size?
Thanks,
Dolev
Solved! Go to Solution.
03-31-2021 08:43 AM
I've never paid attention to the 6KB limit and instead focused on the degrees of scale each platforms tcam supports. The very last table on this trustsec system bulletin is what I'm talking about. "Table 7. Cisco Group Based Policy Platform Scalability of SGACLs"
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf
Platform | Maximum number of SG ACEs | Notes |
Catalyst 3750-X & 3560-X | 1015 maximum unique cells | |
Catalyst 3650 Catalyst 3850-SE, 3850-XS Catalyst 3850 | 680 L4 per system | Max # of ACEs in SGACL should be 300 or less due to buffer size limits 256 Source/Destination Groups |
Catalyst 4500-X, Catalyst 4500 Sup 7-E/7L-E/8- E/8L-E | 64,000 | Ranges between 64k ACEs in 1 SGACL to 1 ACE in 64k SGACLs |
Catalyst 6500 Series Supervisor Engine 2T and 6T | 16,000 | |
Catalyst 6840-X | 16K | |
Catalyst 6880-X | 64K (XL), 16K (LE) | |
Catalyst 9200 | 1,408 | 256 Source/Destination Groups |
Catalyst 9300 | 5,000 | 256 Source/Destination Groups |
Catalyst 9400 Supervisor Engine-1 & -1XL | 18,000 | 256 Source/Destination Groups |
Catalyst 9500 | 17,500 | 256 Source/Destination Groups |
Catalyst 9500H | Pending data from test team | 256 Source/Destination Groups |
Catalyst 9600 | Pending data from test team | 256 Source/Destination Groups |
1540, 1560, 1570 Series 1552 AP 1700, 2700, 2800, 3700, AP Series (Wave 1) 1815, 1830, 1850, 2800, 3800 AP Series (Wave 2) | 256 ACEs per SGACL | 400 unique SGACLs, 50 SGTs |
WLC 8540, 5520, 3504 | 256 ACEs per SGACL | 800 unique SGACLs, 512 SGTs |
Nexus 7K M3, M2, M1 Modules | 128,000 | |
Nexus 7K F3, F2, F2e Modules | 16,000 | |
Nexus 7K F1 Modules | 1,024 | |
Nexus 1000V | 6,000 | |
Nexus 5500 | 124 | 124 SGACL TCAM entries available per bank of 8 ports for feature use (4 of 128 are default entries) Sum of SGACL entries per 8 port bank cannot contain more than 124 permissions in total SGACL can be reused extensively; Over 2000 SGT, DGT combinations possible from reusing 124 lines of permissions |
Nexus 5600, 6000 | 1,148 | |
ASR 1000 | 4,096 per cell | 62,500 maximum number of unique cells |
03-30-2021 05:57 AM
Does anyone know the answer?
Thanks!
03-31-2021 08:43 AM
I've never paid attention to the 6KB limit and instead focused on the degrees of scale each platforms tcam supports. The very last table on this trustsec system bulletin is what I'm talking about. "Table 7. Cisco Group Based Policy Platform Scalability of SGACLs"
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf
Platform | Maximum number of SG ACEs | Notes |
Catalyst 3750-X & 3560-X | 1015 maximum unique cells | |
Catalyst 3650 Catalyst 3850-SE, 3850-XS Catalyst 3850 | 680 L4 per system | Max # of ACEs in SGACL should be 300 or less due to buffer size limits 256 Source/Destination Groups |
Catalyst 4500-X, Catalyst 4500 Sup 7-E/7L-E/8- E/8L-E | 64,000 | Ranges between 64k ACEs in 1 SGACL to 1 ACE in 64k SGACLs |
Catalyst 6500 Series Supervisor Engine 2T and 6T | 16,000 | |
Catalyst 6840-X | 16K | |
Catalyst 6880-X | 64K (XL), 16K (LE) | |
Catalyst 9200 | 1,408 | 256 Source/Destination Groups |
Catalyst 9300 | 5,000 | 256 Source/Destination Groups |
Catalyst 9400 Supervisor Engine-1 & -1XL | 18,000 | 256 Source/Destination Groups |
Catalyst 9500 | 17,500 | 256 Source/Destination Groups |
Catalyst 9500H | Pending data from test team | 256 Source/Destination Groups |
Catalyst 9600 | Pending data from test team | 256 Source/Destination Groups |
1540, 1560, 1570 Series 1552 AP 1700, 2700, 2800, 3700, AP Series (Wave 1) 1815, 1830, 1850, 2800, 3800 AP Series (Wave 2) | 256 ACEs per SGACL | 400 unique SGACLs, 50 SGTs |
WLC 8540, 5520, 3504 | 256 ACEs per SGACL | 800 unique SGACLs, 512 SGTs |
Nexus 7K M3, M2, M1 Modules | 128,000 | |
Nexus 7K F3, F2, F2e Modules | 16,000 | |
Nexus 7K F1 Modules | 1,024 | |
Nexus 1000V | 6,000 | |
Nexus 5500 | 124 | 124 SGACL TCAM entries available per bank of 8 ports for feature use (4 of 128 are default entries) Sum of SGACL entries per 8 port bank cannot contain more than 124 permissions in total SGACL can be reused extensively; Over 2000 SGT, DGT combinations possible from reusing 124 lines of permissions |
Nexus 5600, 6000 | 1,148 | |
ASR 1000 | 4,096 per cell | 62,500 maximum number of unique cells |
03-31-2021 11:24 PM
That's great, thanks!
That answers my main question, but I'll leave this topic open in case anyone knows something about that 6KB cap.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide