I'm in the process of creating some ACL's on my 7210 controller and after creating the first ACL and copying it to a new policy that I want to make some changes to, I'm already out of Ace entries. When I run the show acl acl-table command I see that the ACL I just created and the role I assigned it to have an Ace count of 1556 each. Just copying that ACL to another role and trying to save it to the controller gives me a "Can't add policy to ACL 'Student', needs 80 aces, have only 61 free aces."
Now I have created a lot of alias' for different servers for all my sites and a few service groups but this can't possibly be making me run out of space this quickly can it?
show acl acl-table tells me that the one role I just created an ACL for has a rule count of 1555 and an Ace count of 1556.
@cappalli wrote:Are you creating session (firewall) ACLs or standard/extended ACLs?
Hm. That doesn't seem right. Might be best to open a TAC case to get a quick answer. They can look at your controller.
Is it normal for that many entries to be taken up when using alias' and service groups? I mean I'm using alias' for almost all of my rules and some of the alias' have up to 10 host IPs in them. This one policy I've created has 29 rules and most of them read:
Sourece "alias" Destination "alias" "sevice-group" permit.
Please run the following and read the table at the bottom to check the number of ACE entries in use and how many are free:
show acl acl-table
As a general rule, the number of ACE entries is determined by the following:
(number of IP addresses in source alias) * (number of IP adddresses in destination alias) * (number of ports in netservice)
For the entry that has 1556 ACE entries, can you share the output of show rights <name-of-role>. Then evaluate the number of entries in each alias for us?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.