Meraki

Mrb0cci0

Hello!
Using the Meraki API, we are trying to configure a L3 ACL that blocks a large number of IPs (>6k entries).

We have already capped the maximum number of object per group (150, iirc).

When we push to production the code, I am really worried that such high number of object will severely impact the customer's MX64 performance (the number of entries is very high).

I tried to google and search in this community, but I could not find anything useful.

Am I worrying too much? Is there a way to know how the devices will be impacted on performance?

alemabrahao

The MX64 has limited resources compared to higher-end models. A large number of ACL entries can increase CPU and memory usage, potentially leading to slower performance or even device instability.

Review your ACL entries to see if there are ways to optimize them. For example, combining ranges of IPs or using subnet masks to reduce the number of entries.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Mrb0cci0

Unfortunately, we can't modify such list: we receive the list as several /32 IPs from our SOC and we have to apply it as soon as possibile...

RaphaelL

Yes that is a big concern , however I'm simply questioning your L3 rulebase. Don't you have a implicit deny at the bottom ? ( if those rules are outbound , as mentionned by michalc )

Mrb0cci0

Yes, the default deny is present...but, please, don't make me say out loud why we are asked to do so, it is so frustrating...😶

michalc

Are these firewall rules for inbound or outbound traffic?

While there's technically no maximum limit to the number of Layer 3 firewall rules you can apply, please note that implementing thousands of /32 rules might lead to User Interface issues which in this situation we won't be able to assist with.

Meraki

Community

Maximum number of Policy object per ACL

Maximum number of Policy object per ACL