MS Group Policy

RaphaelL
Kind of a big deal
Kind of a big deal

MS Group Policy

Hi ,


I have a hard time understanding this documentation : https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists

 

Let's say I have a simple network A with 5 switches. 

 

I want to create Group Policy A,B,C with 40 L3 rules each. Can this be achieved ?

 

 

This is the part that confuses me : 

  1. The per-switch limit of 32 rules with layer-4 ports is shared between QoS and Group Policy ACL rules. However, while every QoS rule with a port range counts towards the limit, a Group Policy ACL rule with port range is counted only if a client device in that group is connected to the switch.
3 Replies 3
Bruce
Kind of a big deal

I believe it’s one of those ‘depends’ answers.

 

If the rules in the policies are 40 rules with Layer 4 ports then I’d say no, as the minute any GP ACL is applied you’ve exceeded the switch capacity. If you have less Layer 4 rules, say 15 per GP, then so long as all the clients connected to the switch only use two GP ACLs then you should be fine.

 

The question really is, what’s the definition of a Layer 4 rule? Is it any rule, or just one that specifies a specific Layer 4 port. And that I think is the real question….

RaphaelL
Kind of a big deal
Kind of a big deal

Thanks for the reply, I guess it's time to test that in a lab !

GIdenJoe
Kind of a big deal
Kind of a big deal

Key is here to use as broad as possible rules and try to stay with IP only rules as much as possible.  In the documentation it clearly says that only rules that include TCP or UDP ports count towards the switch total.
The amount of TCAM memory on MS switches must be way smaller than Catalyst switches causing limitations like this.

The biggest issue with this is that if you have 10 clients with each different ACL's that contain layer 4 info you'll probably out of space already.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels