cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2232
Views
10
Helpful
3
Replies

Trustsec SGACL size limit

Dolevha
Level 1
Level 1

Hey,

I've seen it documented that the SGACL size cannot exceed 6KB - "Dynamic SGACL download size is limited to 6 KB" (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16-7/sec-usr-cts-xe-16-7-book/sec-cts-sgacl.pdf).
In other documents, I've seen that it cannot exceed 6KB per DGT - "Dynamic SGACL download is limited to 6KB per destination group tag" (https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-6/release_notes/ol-16-6-3650.html).
What does it mean? That the total bytes of all the SGACL that are downloaded are 6KB or each SGACL is 6KB?
If I apply the same SGACL several times in the Trustsec matrix, does it count for the total size?

 

Thanks,

Dolev

1 Accepted Solution

Accepted Solutions

I've never paid attention to the 6KB limit and instead focused on the degrees of scale each platforms tcam supports. The very last table on this trustsec system bulletin is what I'm talking about. "Table 7. Cisco Group Based Policy Platform Scalability of SGACLs"
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf


Platform Maximum number of SG ACEs Notes
Catalyst 3750-X & 3560-X   1015 maximum unique cells
Catalyst 3650 Catalyst 3850-SE, 3850-XS Catalyst 3850 680 L4 per system Max # of ACEs in SGACL should be 300 or less due to buffer size limits 256 Source/Destination Groups
Catalyst 4500-X, Catalyst 4500 Sup 7-E/7L-E/8- E/8L-E 64,000 Ranges between 64k ACEs in 1 SGACL to 1 ACE in 64k SGACLs
Catalyst 6500 Series Supervisor Engine 2T and 6T 16,000  
Catalyst 6840-X 16K  
Catalyst 6880-X 64K (XL), 16K (LE)  
Catalyst 9200 1,408 256 Source/Destination Groups
Catalyst 9300 5,000 256 Source/Destination Groups
Catalyst 9400 Supervisor Engine-1 & -1XL 18,000 256 Source/Destination Groups
Catalyst 9500 17,500 256 Source/Destination Groups
Catalyst 9500H Pending data from test team 256 Source/Destination Groups
Catalyst 9600 Pending data from test team 256 Source/Destination Groups
1540, 1560, 1570 Series 1552 AP 1700, 2700, 2800, 3700, AP Series (Wave 1) 1815, 1830, 1850, 2800, 3800 AP Series (Wave 2) 256 ACEs per SGACL 400 unique SGACLs, 50 SGTs
WLC 8540, 5520, 3504 256 ACEs per SGACL 800 unique SGACLs, 512 SGTs
Nexus 7K M3, M2, M1 Modules 128,000  
Nexus 7K F3, F2, F2e Modules 16,000  
Nexus 7K F1 Modules 1,024  
Nexus 1000V 6,000  
Nexus 5500 124 124 SGACL TCAM entries available per bank of 8 ports for feature use (4 of 128 are default entries) Sum of SGACL entries per 8 port bank cannot contain more than 124 permissions in total SGACL can be reused extensively; Over 2000 SGT, DGT combinations possible from reusing 124 lines of permissions
Nexus 5600, 6000 1,148  
ASR 1000 4,096 per cell 62,500 maximum number of unique cells



View solution in original post

3 Replies 3

Dolevha
Level 1
Level 1

Does anyone know the answer?

Thanks!

I've never paid attention to the 6KB limit and instead focused on the degrees of scale each platforms tcam supports. The very last table on this trustsec system bulletin is what I'm talking about. "Table 7. Cisco Group Based Policy Platform Scalability of SGACLs"
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf


Platform Maximum number of SG ACEs Notes
Catalyst 3750-X & 3560-X   1015 maximum unique cells
Catalyst 3650 Catalyst 3850-SE, 3850-XS Catalyst 3850 680 L4 per system Max # of ACEs in SGACL should be 300 or less due to buffer size limits 256 Source/Destination Groups
Catalyst 4500-X, Catalyst 4500 Sup 7-E/7L-E/8- E/8L-E 64,000 Ranges between 64k ACEs in 1 SGACL to 1 ACE in 64k SGACLs
Catalyst 6500 Series Supervisor Engine 2T and 6T 16,000  
Catalyst 6840-X 16K  
Catalyst 6880-X 64K (XL), 16K (LE)  
Catalyst 9200 1,408 256 Source/Destination Groups
Catalyst 9300 5,000 256 Source/Destination Groups
Catalyst 9400 Supervisor Engine-1 & -1XL 18,000 256 Source/Destination Groups
Catalyst 9500 17,500 256 Source/Destination Groups
Catalyst 9500H Pending data from test team 256 Source/Destination Groups
Catalyst 9600 Pending data from test team 256 Source/Destination Groups
1540, 1560, 1570 Series 1552 AP 1700, 2700, 2800, 3700, AP Series (Wave 1) 1815, 1830, 1850, 2800, 3800 AP Series (Wave 2) 256 ACEs per SGACL 400 unique SGACLs, 50 SGTs
WLC 8540, 5520, 3504 256 ACEs per SGACL 800 unique SGACLs, 512 SGTs
Nexus 7K M3, M2, M1 Modules 128,000  
Nexus 7K F3, F2, F2e Modules 16,000  
Nexus 7K F1 Modules 1,024  
Nexus 1000V 6,000  
Nexus 5500 124 124 SGACL TCAM entries available per bank of 8 ports for feature use (4 of 128 are default entries) Sum of SGACL entries per 8 port bank cannot contain more than 124 permissions in total SGACL can be reused extensively; Over 2000 SGT, DGT combinations possible from reusing 124 lines of permissions
Nexus 5600, 6000 1,148  
ASR 1000 4,096 per cell 62,500 maximum number of unique cells



Dolevha
Level 1
Level 1

That's great, thanks!

That answers my main question, but I'll leave this topic open in case anyone knows something about that 6KB cap.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: