NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

luizluca's avatar
luizluca
Aspirant
May 11, 2018

Error while adding a new ACL rule

Hello,

 

While trying to attach an IPv6 ACL with 54 identical rules to a VLAN, I got this error:

 

(switchcore) (Config)#ipv6 traffic-filter acl-with-54-rules vlan 700 out 101                

Unable to attach the specified access-control list to the specified VLAN.

 

If I add it with 53 rules and add the rule after it is aready attached, I get:

 

 

(Config-ipv6-acl)#permit icmpv6 any host 2606:4700:4700::1111 icmp-message echo-request

Error! processing ACL.

 

And logs only show for both cases this (useless) message:

 

DRIVER[emWeb]: broad_acl.c(2586) 474 %% ACL not applied to port CPU Interface:  0/5/1

 

I checked specs and I should have:

 

ACL Limits:

Maximum Number of ACLs (any type) 100

Maximum Number Configurable Rules per List 1023 ingress/511 egress

Maximum ACL Rules per Interface and Direction (IPv4/L2) 1023 ingress/511 egress

Maximum ACL Rules per Interface and Direction (IPv6) 1021 ingress/509 egress

Maximum ACL Rules (system-wide) 16384

Maximum ACL Logging Rules (system-wide) 128

 

Source: http://www.downloads.netgear.com/files/GDC/datasheet/en/M5300.pdf?cid=a page 35

 

If I'm reading it right, I could use up to 509 rules, not 53. I does not reach 509 even if I sum all rules from all existing ACL!

People normally do use specs in order to by a device. Are specs wrong here?

 

I'm using the latest firmware version: 11.0.0.31

Firmware
Hardware
Troubleshooting

2 Replies

  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired
    May 17, 2018

    Hi luizluca,

     

    To isolate the problem, kindly post the ACL configuration.

     

     

    Regards,


    DaneA

    NETGEAR Community Team

    • luizluca's avatar
      luizluca
      Aspirant
      May 17, 2018

      Hi DaneA

       

      It seems that the switch cannot deal with more than 253 IPv6 vlan out rules globally, at least with firmware 11.0.0.31.

       

       

      (switchcore) (Config)#no ipv6 access-list test123-out
(switchcore) (Config)# ipv6 access-list test123-out 
(switchcore) (Config-ipv6-acl)#exit
(switchcore) (Config)#ipv6 traffic-filter test123-out vlan 700 out
(switchcore) (Config)#ipv6 access-list test123-out
(switchcore) (Config-ipv6-acl)#permit ipv6 host 2001:efef:efef:efef:efef:efef:efef:1 any
(switchcore) (Config-ipv6-acl)#permit ipv6 host 2001:efef:efef:efef:efef:efef:efef:2 any
...
(switchcore) (Config-ipv6-acl)#permit ipv6 host 2001:efef:efef:efef:efef:efef:efef:253 any
(switchcore) (Config-ipv6-acl)#permit ipv6 host 2001:efef:efef:efef:efef:efef:efef:254 any

Error! processing ACL.

      After that point I cannot use any new IPv6 or IPv4 vlan out rule (no problem with in rules).

       

      It is way bellow what specs advertises.

       

       

      I openend a suppor case #30125899 about it.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More