Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2677
Views
5
Helpful
9
Replies

SG350 / ACL / Cannot apply - TCP/UDP port range egress amount exceeded.

tom.fransen
Level 1
Level 1

‎01-21-2020 05:50 AM

LS,

we are enabled routing on our SG350 network switch so it can route between two connected IP subnets (VLANs).

So lets assume: subnet A (10.0.0.0/24) and subnet B (192.168.0.0/24)

 

We want to however restrict the traffic between the subnet A and subnet B. To be more precise we want to limit the traffic from subnet A to a number of hosts in subnet B (including a port range). For this we want to use ACLs.

 

When applying the ACL we get the following error message: "Cannot apply - TCP/UDP port range egress amount exceeded."

We are running firmware version: 2.5.0.90

 

The error is triggered by the fact that we have 3 ACEs stating a port range. If we have two ACEs we do not get the error.

 

Questions:

- We do not see any limitations being mentioned in the user manual regarding the number of ACEs using ranges. So is this a bug in the firmware?

- Are there other ways we can restrict the traffic to a number of IP hosts in the 192.168.0.0/24 subnet (including a port range)?

 

Here is an example showing the ACL and the output from the switch:

 

SG350(config-ip-al)#do sh access-lists

Extended IP access list acllist1

    permit  tcp any 49152-65535 host 192.168.0.8 49152-65535 ace-priority 20

    permit  tcp any 49152-65535 host 192.168.0.9 49152-65535 ace-priority 40

    permit  tcp any 49152-65535 host 192.168.0.10 49152-65535 ace-priority 60

 

SG350(config-ip-al)#

SG350(config-ip-al)#int ge14

SG350(config-if)#service-acl output acllist1

Cannot apply - TCP/UDP port range egress amount exceeded.

 

We also tried to put the ACL on the VLAN but this results in the same error.

 

Regards,

TF

Labels:
0 Helpful
9 Replies 9

bldollen
Cisco Employee
Cisco Employee

‎02-25-2020 09:54 AM

Hi, Tom.

 

It looks like you’re hitting a known issue, CSCvn70982. Interestingly you’ve hit the problem with only three ACEs instead of the four listed in the bug description, but I suspect that’s explained by the test case differing slightly in the number of ports per ACE.

 

This bug is slated to be fixed, but I don’t have an exact timeline for that at this point. The good news, in your case, is that I can see an easy workaround: Combine the 192.168.0.8 and .9 hosts into one line with a wildcard mask, like so:

 

permit tcp any 49152-65535 192.168.0.8 0.0.0.1 49152-65535 ace-priority 20

permit tcp any 49152-65535 host 192.168.0.10 49152-65535 ace-priority 60

 

That does the same job in only two lines. If you don’t mind including 192.168.0.11 among the destinations, you could even do the whole thing in one line:

 

permit tcp any 49152-65535 192.168.0.8 0.0.0.3 49152-65535 ace-priority 20

 

That would cover 192.168.0.8 - .11 for destinations.

 

The drawback with this workaround is that it requires the IP addresses to be numerically contiguous for the wildcard mask to work. If your addresses were .9, .78, and .212, it wouldn't be an option.

tom.fransen
Level 1
Level 1
In response to bldollen

‎02-25-2020 10:53 PM

Thanks for the update!
0 Helpful

tom.fransen
Level 1
Level 1
In response to bldollen

‎05-12-2020 05:22 AM

Hi,

 

thanks for the feedback:

 

"It looks like you’re hitting a known issue, CSCvn70982. Interestingly you’ve hit the problem with only three ACEs instead of the four listed in the bug description, but I suspect that’s explained by the test case differing slightly in the number of ports per ACE."

 

We have been looking for another solution in the mean time but it turns out that the ACL would be the best way forward.

Is there currently more information on when this issue will be solved (in which firmware release and when)?

 

Regards,

Tom

 

 

0 Helpful

freppin
Level 1
Level 1
In response to bldollen

‎08-27-2020 04:51 AM

Dear all,

 

any news/ETA on when this will be fixed?!
Just got hit by this issue too on the most recent 2.5.5.47 firmware.

 

Thankyou!
FR

0 Helpful

dfigueroa
Level 1
Level 1
In response to bldollen

‎05-04-2021 12:30 PM

Updates on this issue? I have currently run into the same issue running 2.5.7.85, which is the latest version. Tried to downgrade as someone mentioned but still same issue.

0 Helpful

bldollen
Cisco Employee
Cisco Employee
In response to dfigueroa

‎05-06-2021 07:35 AM - edited ‎05-06-2021 07:42 AM

This is fixed in 2.5.7.85 according to our internal testing. If you are still experiencing the issue with that firmware version, please open a support case, either by phone or online.

0 Helpful

persiannight
Level 1
Level 1

‎09-29-2020 03:15 PM

Any idea when this will be fixed? This is really a pain as I can't apply any of my ACLs to VLANs. On a brand new SX550-48G w/newest firmware.

0 Helpful

persiannight
Level 1
Level 1

‎10-23-2020 09:31 AM

Ran into this again and overcame it by flashing back to 2.4.0.x firmware. This is ridiculous.  PLEASE FIX THIS CISCO.

0 Helpful

dfigueroa
Level 1
Level 1
In response to persiannight

‎05-04-2021 01:00 PM

Which version did you revert back to? I tried 2.4.0.94 and still had the same issue.

0 Helpful
Customers Also Viewed These Support Documents