cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1056
Views
10
Helpful
3
Replies
Dolevha
Beginner

Trustsec SGACL size limit

Hey,

I've seen it documented that the SGACL size cannot exceed 6KB - "Dynamic SGACL download size is limited to 6 KB" (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16-7/sec-usr-cts-xe-16-7-book/sec-cts-sgacl.pdf).
In other documents, I've seen that it cannot exceed 6KB per DGT - "Dynamic SGACL download is limited to 6KB per destination group tag" (https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-6/release_notes/ol-16-6-3650.html).
What does it mean? That the total bytes of all the SGACL that are downloaded are 6KB or each SGACL is 6KB?
If I apply the same SGACL several times in the Trustsec matrix, does it count for the total size?

 

Thanks,

Dolev

1 ACCEPTED SOLUTION

Accepted Solutions

I've never paid attention to the 6KB limit and instead focused on the degrees of scale each platforms tcam supports. The very last table on this trustsec system bulletin is what I'm talking about. "Table 7. Cisco Group Based Policy Platform Scalability of SGACLs"
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf


Platform Maximum number of SG ACEs Notes
Catalyst 3750-X & 3560-X   1015 maximum unique cells
Catalyst 3650 Catalyst 3850-SE, 3850-XS Catalyst 3850 680 L4 per system Max # of ACEs in SGACL should be 300 or less due to buffer size limits 256 Source/Destination Groups
Catalyst 4500-X, Catalyst 4500 Sup 7-E/7L-E/8- E/8L-E 64,000 Ranges between 64k ACEs in 1 SGACL to 1 ACE in 64k SGACLs
Catalyst 6500 Series Supervisor Engine 2T and 6T 16,000  
Catalyst 6840-X 16K  
Catalyst 6880-X 64K (XL), 16K (LE)  
Catalyst 9200 1,408 256 Source/Destination Groups
Catalyst 9300 5,000 256 Source/Destination Groups
Catalyst 9400 Supervisor Engine-1 & -1XL 18,000 256 Source/Destination Groups
Catalyst 9500 17,500 256 Source/Destination Groups
Catalyst 9500H Pending data from test team 256 Source/Destination Groups
Catalyst 9600 Pending data from test team 256 Source/Destination Groups
1540, 1560, 1570 Series 1552 AP 1700, 2700, 2800, 3700, AP Series (Wave 1) 1815, 1830, 1850, 2800, 3800 AP Series (Wave 2) 256 ACEs per SGACL 400 unique SGACLs, 50 SGTs
WLC 8540, 5520, 3504 256 ACEs per SGACL 800 unique SGACLs, 512 SGTs
Nexus 7K M3, M2, M1 Modules 128,000  
Nexus 7K F3, F2, F2e Modules 16,000  
Nexus 7K F1 Modules 1,024  
Nexus 1000V 6,000  
Nexus 5500 124 124 SGACL TCAM entries available per bank of 8 ports for feature use (4 of 128 are default entries) Sum of SGACL entries per 8 port bank cannot contain more than 124 permissions in total SGACL can be reused extensively; Over 2000 SGT, DGT combinations possible from reusing 124 lines of permissions
Nexus 5600, 6000 1,148  
ASR 1000 4,096 per cell 62,500 maximum number of unique cells



View solution in original post

3 REPLIES 3
Dolevha
Beginner

Does anyone know the answer?

Thanks!

I've never paid attention to the 6KB limit and instead focused on the degrees of scale each platforms tcam supports. The very last table on this trustsec system bulletin is what I'm talking about. "Table 7. Cisco Group Based Policy Platform Scalability of SGACLs"
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf


Platform Maximum number of SG ACEs Notes
Catalyst 3750-X & 3560-X   1015 maximum unique cells
Catalyst 3650 Catalyst 3850-SE, 3850-XS Catalyst 3850 680 L4 per system Max # of ACEs in SGACL should be 300 or less due to buffer size limits 256 Source/Destination Groups
Catalyst 4500-X, Catalyst 4500 Sup 7-E/7L-E/8- E/8L-E 64,000 Ranges between 64k ACEs in 1 SGACL to 1 ACE in 64k SGACLs
Catalyst 6500 Series Supervisor Engine 2T and 6T 16,000  
Catalyst 6840-X 16K  
Catalyst 6880-X 64K (XL), 16K (LE)  
Catalyst 9200 1,408 256 Source/Destination Groups
Catalyst 9300 5,000 256 Source/Destination Groups
Catalyst 9400 Supervisor Engine-1 & -1XL 18,000 256 Source/Destination Groups
Catalyst 9500 17,500 256 Source/Destination Groups
Catalyst 9500H Pending data from test team 256 Source/Destination Groups
Catalyst 9600 Pending data from test team 256 Source/Destination Groups
1540, 1560, 1570 Series 1552 AP 1700, 2700, 2800, 3700, AP Series (Wave 1) 1815, 1830, 1850, 2800, 3800 AP Series (Wave 2) 256 ACEs per SGACL 400 unique SGACLs, 50 SGTs
WLC 8540, 5520, 3504 256 ACEs per SGACL 800 unique SGACLs, 512 SGTs
Nexus 7K M3, M2, M1 Modules 128,000  
Nexus 7K F3, F2, F2e Modules 16,000  
Nexus 7K F1 Modules 1,024  
Nexus 1000V 6,000  
Nexus 5500 124 124 SGACL TCAM entries available per bank of 8 ports for feature use (4 of 128 are default entries) Sum of SGACL entries per 8 port bank cannot contain more than 124 permissions in total SGACL can be reused extensively; Over 2000 SGT, DGT combinations possible from reusing 124 lines of permissions
Nexus 5600, 6000 1,148  
ASR 1000 4,096 per cell 62,500 maximum number of unique cells



View solution in original post

Dolevha
Beginner

That's great, thanks!

That answers my main question, but I'll leave this topic open in case anyone knows something about that 6KB cap.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel