Meraki

RaphaelL · ‎May 12 2022

Hi ,

I have a hard time understanding this documentation : https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists

Let's say I have a simple network A with 5 switches.

I want to create Group Policy A,B,C with 40 L3 rules each. Can this be achieved ?

This is the part that confuses me :

The per-switch limit of 32 rules with layer-4 ports is shared between QoS and Group Policy ACL rules. However, while every QoS rule with a port range counts towards the limit, a Group Policy ACL rule with port range is counted only if a client device in that group is connected to the switch.

Bruce · ‎May 13 2022

I believe it’s one of those ‘depends’ answers.

If the rules in the policies are 40 rules with Layer 4 ports then I’d say no, as the minute any GP ACL is applied you’ve exceeded the switch capacity. If you have less Layer 4 rules, say 15 per GP, then so long as all the clients connected to the switch only use two GP ACLs then you should be fine.

The question really is, what’s the definition of a Layer 4 rule? Is it any rule, or just one that specifies a specific Layer 4 port. And that I think is the real question….

RaphaelL · ‎May 13 2022

Thanks for the reply, I guess it's time to test that in a lab !

GIdenJoe · ‎May 17 2022

Key is here to use as broad as possible rules and try to stay with IP only rules as much as possible. In the documentation it clearly says that only rules that include TCP or UDP ports count towards the switch total.
The amount of TCAM memory on MS switches must be way smaller than Catalyst switches causing limitations like this.

The biggest issue with this is that if you have 10 clients with each different ACL's that contain layer 4 info you'll probably out of space already.

Meraki

Community

MS Group Policy

MS Group Policy