Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎01-22-2015

ACL's and Ace count...Why am I running out so quickly?

I'm in the process of creating some ACL's on my 7210 controller and after creating the first ACL and copying it to a new policy that I want to make some changes to, I'm already out of Ace entries.  When I run the show acl acl-table command I see that the ACL I just created and the role I assigned it to have an Ace count of 1556 each.  Just copying that ACL to another role and trying to save it to the controller gives me a "Can't add policy to ACL 'Student', needs 80 aces, have only 61 free aces."

 

Now I have created a lot of alias' for different servers for all my sites and a few service groups but this can't possibly be making me run out of space this quickly can it?

 

show acl acl-table tells me that the one role I just created an ACL for has a rule count of 1555 and an Ace count of 1556.

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: ACL's and Ace count...Why am I running out so quickly?

Are you creating session (firewall) ACLs or standard/extended ACLs?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 7
Registered: ‎01-22-2015

Re: ACL's and Ace count...Why am I running out so quickly?


cappalli wrote:
Are you creating session (firewall) ACLs or standard/extended ACLs?

Session ACLs.

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: ACL's and Ace count...Why am I running out so quickly?

Hm. That doesn't seem right. Might be best to open a TAC case to get a quick answer. They can look at your controller.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 7
Registered: ‎01-22-2015

Re: ACL's and Ace count...Why am I running out so quickly?

[ Edited ]

Is it normal for that many entries to be taken up when using alias' and service groups?  I mean I'm using alias' for almost all of my rules and some of the alias' have up to 10 host IPs in them.  This one policy I've created has 29 rules and most of them read:

 

Sourece "alias" Destination "alias" "sevice-group" permit.

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: ACL's and Ace count...Why am I running out so quickly?

[ Edited ]

Please run the following and read the table at the bottom to check the number of ACE entries in use and how many are free:

 

show acl acl-table

 

As a general rule, the number of ACE entries is determined by the following:

(number of IP addresses in source alias) * (number of IP adddresses in destination alias) * (number of ports in netservice)

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: ACL's and Ace count...Why am I running out so quickly?

For the entry that has 1556 ACE entries, can you share the output of show rights <name-of-role>.   Then evaluate the number of entries in each alias for us?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: