Solved: MAC-Based Groups Error "There are no resources for this range"

tobiasott · ‎02-11-2014

Hello,

I have a SG300-52. My goal is a setup, where a client can connect to every port and is automatically placed in a vlan dependent on its MAC adress.

For this purpose I have set up some VLANs.

Vlan Name Ports Created by

---- ----------------- --------------------------- ----------------

1 1 gi1-46,gi48-52,Po1-8 D

10 10 gi1-46,gi48,gi51 S

20 20 gi1-46,gi48,gi51 S

30 30 gi1-46,gi48,gi51 S

All ports where clients can connect have the VLANs configured as untagged.

I have about 40 MACs i want to put in the VLANs dynamically. So i set up a macs-group to vlan mapping:

conf t

interface range gi1-46

switchport mode general

switchport general map macs-group 5 vlan 5

switchport general map macs-group 10 vlan 10

switchport general map macs-group 20 vlan 20

switchport general map macs-group 30 vlan 30

Now I want to add MAC adresses to the macs-groups:

map mac 0000.0000.2222 host macs-group 10

But after a few MACs added I get an error "There are no resources for this range".

Is there a limitation on number of MAC adresses in a macs-group?

Please advice how to proceed or if there is a different way to achive to goal.

Tobias

Nagaraja Thanthry · ‎02-12-2014

Hello Tobias,

There is a limitation on how many MAC addresses could be added to the mac group and applied to the interfaces. Each MAC entry/interface takes up one configurable TCAM resource (max allowed is about 500 I believe). So, if you have 10 MAC addresses applied across 48 ports, that is 480 TCAM entries. This is assuming that you do not have any other rules (ACL, MAC ACL etc) configured. If you have a large number of MAC addresses that need static VLAN assignment, the best approach could be to use dot1x authentication based vlan assignment. This would be a scalable approach.

Hope this helps.

Nagaraja

View solution in original post

Tom Watts · ‎02-11-2014

Hi Tobias,

2 observations I have.

First observation is my switch supports only 256 mac group bindings.

Second observation, if I create 100 mac address for group 1 to vlan 100 then I take the same MAC addresses, create MAC group 2, it will over write the MAC group 1.

So I do not think you run in to limitation of grouping or maximum number. There was no error when I overwrote the MAC group and I received the error "maximum exceeded" when I hit 256 entries.

I also do not know if you made a typo or your switch is accepting a different syntax. The key word HOST as highlighted below from your config is not an option on my switch.

map mac 0000.0000.2222 host macs-group 10

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

tobiasott · ‎02-12-2014

Hi Tom,

thanks for your answer. What kind of switch do you have? Mine is a SG300-52 with Firmware 1.3. Does it work with an *older* Firmware?

The command syntax is according to the CLI reference version 1.3:

map mac mac-address {prefix-mask | host} macs-group group

Do you know another way to achive the goal?

Greetings

Tobias

Nagaraja Thanthry · ‎02-12-2014

Hello Tobias,

There is a limitation on how many MAC addresses could be added to the mac group and applied to the interfaces. Each MAC entry/interface takes up one configurable TCAM resource (max allowed is about 500 I believe). So, if you have 10 MAC addresses applied across 48 ports, that is 480 TCAM entries. This is assuming that you do not have any other rules (ACL, MAC ACL etc) configured. If you have a large number of MAC addresses that need static VLAN assignment, the best approach could be to use dot1x authentication based vlan assignment. This would be a scalable approach.

Hope this helps.

Nagaraja

tobiasott · ‎02-19-2014

Hi Tom and Nagaraja,

you pointed me to the right direction. SG300-52 has 477 Maximum TCAM Entries. Therefore my approach could not work out.

We now set up dot1x auth up with freeradius, it worked right away.

Tobias