Meraki

Community

Maximum number of Policy object per ACL

Mrb0cci0
Conversationalist
‎Mar 10 2025 8:31 AM
‎Mar 10 2025 8:31 AM

Maximum number of Policy object per ACL

Hello! 
Using the Meraki API, we are trying to configure a L3 ACL that blocks a large number of IPs (>6k entries).

We have already capped the maximum number of object per group (150, iirc). 

 

When we push to production the code, I am really worried that such high number of object will severely impact the customer's MX64 performance (the number of entries is very high).

I tried to google and search in this community, but I could not find anything useful. 

Am I worrying too much? Is there a way to know how the devices will be impacted on performance?

Labels:
0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
‎Mar 10 2025 8:34 AM
‎Mar 10 2025 8:34 AM

The MX64 has limited resources compared to higher-end models. A large number of ACL entries can increase CPU and memory usage, potentially leading to slower performance or even device instability.

 

Review your ACL entries to see if there are ways to optimize them. For example, combining ranges of IPs or using subnet masks to reduce the number of entries.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Mrb0cci0
Conversationalist
‎Mar 10 2025 8:39 AM
‎Mar 10 2025 8:39 AM

Unfortunately, we can't modify such list: we receive the list as several /32 IPs from our SOC and we have to apply it as soon as possibile...

0 Kudos
In response to Mrb0cci0
alemabrahao
Kind of a big deal
‎Mar 11 2025 11:04 AM
‎Mar 11 2025 11:04 AM

Ok, but depending on the subnet you can combine these multiple /32s into a single /25 or /24 for example. Think about this possibility.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 10 2025 8:43 AM
‎Mar 10 2025 8:43 AM

Yes that is a big concern , however I'm simply questioning your L3 rulebase. Don't you have a implicit deny at the bottom ? ( if those rules are outbound , as mentionned by michalc )

 

 

0 Kudos
In response to RaphaelL
Mrb0cci0
Conversationalist
‎Mar 10 2025 8:50 AM
‎Mar 10 2025 8:50 AM

Yes, the default deny is present...but, please, don't make me say out loud why we are asked to do so, it is so frustrating...😶

0 Kudos
michalc
Meraki Employee
Meraki Employee
‎Mar 10 2025 8:46 AM
‎Mar 10 2025 8:46 AM

Are these firewall rules for inbound or outbound traffic?

While there's technically no maximum limit to the number of Layer 3 firewall rules you can apply, please note that implementing thousands of /32 rules might lead to User Interface issues which in this situation we won't be able to assist with.

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 11 2025 10:38 AM
‎Mar 11 2025 10:38 AM

>When we push to production the code, I am really worried that such high number of object will severely impact the customer's MX64 performance

 

If this is the requirement (to have 6000 ACEs) for your security policy then you might be forced to upgrade the MX to comply.

Mrb0cci0
Conversationalist
‎Mar 13 2025 7:13 AM
‎Mar 13 2025 7:13 AM

Hi, thanks to anyone who has responded. 
I will show these answers to my colleagues, so we can manage to find a better way to integrate our SOC's blocklist

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.