Ciao,

I'm implementing 802.1x  with NAC Posture using a couple of  WS-C4506-E Supervisor 6L-E. They are access switches with each one  4x48 10/100/1000 ports.

I'm configuring dACL for machine authentication and no posture (30 ACE to limit Active Directory access) and machine authentication with healthy posture (1 ACE: permit ip any any).

I did some test with a couple of client connect to these switches and I verify TCAM utilization with command:

sh platform hardware acl statistics utilization  brief 

CAM Utilization Statistics
--------------------------

                           Used          Free         Total
                           --------------------------------
Input  Security    (160)   35    (1  %)  2013  (99 %) 2048 
Input  Security    (320)   34    (1  %)  2014  (99 %) 2048 
Input  Forwarding  (160)   7     (0  %)  2041  (100%) 2048 
Input  Forwarding  (320)   24    (1  %)  2024  (99 %) 2048 
Input  Unallocated (160)   0     (0  %)  24576 (100%) 24576

Output Security    (160)   8     (0  %)  2040  (100%) 2048 
Output Security    (320)   12    (0  %)  2036  (100%) 2048 
Output Qos         (160)   18    (0  %)  2030  (100%) 2048 
Output Qos         (320)   2     (0  %)  2046  (100%) 2048 
Output Unallocated (160)   0     (0  %)  24576 (100%) 24576

Input Profiles (logical) : used 1 / 32
Input Profiles (physical): used 4 / 32

Output Profiles (logical) : used 1 / 32
Output Profiles (physical): used 3 / 32

It's seem that the utilization is proportional to the ACE applied per port (30 or 1). Can someone explain me if there is any sort of optimization ? Because in the worst case there could be 196 clients x 30 ACE using 9408 of 2048 available.

Thnaks.