- Read Me First
- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Configuring an FQDN ACL
- Refining an IP Access List
- IP Named Access Control Lists
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- ACL IP Options Selective Drop
- Displaying and Clearing IP Access List Data Using ACL Manageability
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 ACL Undetermined-Transport Support
- Configuring Template ACLs
- IPv6 Template ACL
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
- Security (ACL) Enhancements
Security (ACL) Enhancements
The Security (ACL) enhancements features provides you the option to restrict the number of ACLs or aces or both that can be configured on a box. Restricting the number of ACLs or aces on a box enables you to prevent depletion or over usage of tcam space which can adversely affect the performance of a box.
- Restrictions
- Configuring Security (ACL) Enhancements
- Feature Information for Security (ACL) Enhancements
Restrictions
-
The acl-ace-limit set is per ACL and is applicable to all the ACLs on the box.
-
The acl-limit and acl-ace-limit are mutually exclusive to global-ace-limit. You cannot configure global-ace-limit when acl-limit and acl-ace-limt are configured and vice-versa.
The limit that will be set cannot be less than the existing number of ACLs/aces in the box.
-
The ACL-limit or acl-ace-limit or global-ace-limit set will be applicable to the ACLs/aces created internally while device booting up.
-
The ACL with object group ace (ogace) expansion is not supported in this release, based on the customer requirements this can be investigated further. Each ogace is counted as one ace.
-
The ACL-limit or acl-ace-limit or global-ace-limit set is applicable to all static and dynamically created ACLs except for template ACLs.
-
The configurable ACL-limit or acl-ace-limit or global-ace-limit doesn’t guarantee that the tcam space will never be overused or depleted. You must know the exact limit configurable that can be supported on the box from prior testing in the lab.
-
The assumption is that all the ACLs configured on the box will be applied to the interface, which affects the tcam space.
-
When the box reaches max ACL-limit or acl-ace-limit or global-ace-limit configurable, and if any client tries to create a dynamic ACL/aces then the request is rejected with the syslog error message. It is up to you to handle the failure accordingly.
Configuring Security (ACL) Enhancements
enable configure terminal access-list acl-limit 10 access-list acl-ace-limit 12 access-list global-ace-limit 14 end
Note | The acl-limit and acl-ace-limit are mutually exclusive to global-ace-limit. |
Important Notes
Verifying Security (ACL) Enhancements Configuration
Device# show access-list acl-limit Max ACLs configurable: 50 Number of ACLs configured: 10 Max aces/ACL configurable: 10 Max aces configurable: 100 Number of aces configured: 67
Feature Information for Security (ACL) Enhancements
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Security (ACL) Enhancements |
Cisco IOS XE Everest 16.4.1 |
The Security (ACL) enhancements features provides you the option to restrict the number of ACLs or aces or both that can be configured on a box. Restricting the number of ACLs or aces on a box enables you to prevent depletion or over usage of tcam space which can adversely affect the performance of a box. The following commands were introduced or modified: acl-ace-limit,acl-limit,global-ace-limit. |