Comware Based
1748204 Members
3945 Online
108759 Solutions
New Discussion

HPE 5130 HI maximum ACLs

 
Geppo
Occasional Contributor

HPE 5130 HI maximum ACLs

I'm interested in buying some HPE 5130 HI Layer 3 switches, but I didn't find any information about the maximum number of usable (advanced) ACLs.

Can anyone help me?

Thank you very much in advance..

 

7 REPLIES 7
parnassus
Honored Contributor

Re: HPE 5130 HI maximum ACLs

Here we go:

HPE_FlexNetwork_5130_EI_Switch_series_ACL_categories.png

found into HPE FlexNetwork 5130 EI Switch Series ACL and QoS Configuration Guide (for Release 3111P02 and newer) available here.


I'm not an HPE Employee
Kudos and Accepted Solution banner
Geppo
Occasional Contributor

Re: HPE 5130 HI maximum ACLs

Thank you very much for your help.
I already found and read that page, but the meaning I assign to it is substantially different.

The meaning of the column "ACL number" is just the range you can assign to each *category* of ACL's, but it does not mean you can assign 999 ACLs for each category.
This concept became clear if you look at the QuickSpecs of the model HPE 5510 HI:

Security

• Access control lists (ACLs)
provide IP Layer 2 to Layer 4 traffic filtering; support global ACL, VLAN ACL, port ACL, and IPv6 ACL; up to 6144 ingress
ACLs and 1024 egress ACLs are supported

Please note that you can find an exact copy of the table "ACL Categories" you found also for the HPE 5510 HI

 

 

 

parnassus
Honored Contributor

Re: HPE 5130 HI maximum ACLs

Yep, right. Understood...you're looking for the maximum number of ACL entries admitted by the system (in any combination), IMHO that number is Hardware resource related, more probably Memory related.

As you correctly wrote, ACL IDs ranges are only used to organize ACL types (from 3000 to 3999 means just 1000 possible ACL IDs) and those ranges don't define the maximum number of (any combination of) ACL really configurable on the system. That's right.

That "...up to 6144 ingress ACLs and 1024 egress ACLs are supported" is not specified on the HPE FlexNetwork 5130 EI Switch Series QuickSpecs sheet here.

Probably running the command display qos-acl resource against an HPE 5130 EI will tell us more than any manual...


I'm not an HPE Employee
Kudos and Accepted Solution banner
Apachez-
Trusted Contributor

Re: HPE 5130 HI maximum ACLs

Aka number of ACE's (Access Control Entries or something like that) and not number of ACL's (Access Control Lists).

Note however that even if a particular model support x number of ACE's (which is often setup per FPGA/ASIC so a 48 int switch can for example have twice as many as a 24 int switch) many of those are stolen by the device itself for various purposes (aka reserved).

They could also vary if you enable or disable IPv6, uRPF (Reverse Path Filtering) and such.

This is for example the output of a HP 5820-24XG-SFP+ (JC102A) that I run:

<R1>dis acl resource 
 Interface:
   XGE1/0/1 to XGE1/0/24, GE1/0/25 to GE1/0/28
---------------------------------------------------------------------
 Type          Total       Reserved    Configured  Remaining   Usage
---------------------------------------------------------------------
 VFP ACL       1024        256         0           768         25%
 IFP ACL       2048        1280        68          700         65%
 IFP Meter     1024        640         0           384         62%
 IFP Counter   1024        640         68          316         69%
 EFP ACL       512         0           0           512         0%
 EFP Meter     256         0           0           256         0%
 EFP Counter   256         0           0           256         0%

In my case I have all my ACL's with "hardware-count enable" which is why I would guess IFP Counter goes down too. Dunno however about why IFP ACL has stolen 1280 out of the maximum 2048 (leaving me we about 768 instead of 2048 possible ACE's).

 

 

parnassus
Honored Contributor

Re: HPE 5130 HI maximum ACLs

Do you have "long" ACL?

Also notice that Reserved IFP ACL quantity is (quite always) exactly double the Reserved IFP Counter.

On the HPE FlexNetwork 5130 EI Switch Series FAQs there is a interesting statement regarding the ACL resources:

Question:

How are the ACL resources of the switch distributed?

Answer:

The chip processor for ACLs has the following engines:

  • ContentAware lookup engine
  • Policy engine
  • Metering engine
  • Statistics engine

An engine is organized by using the memory-based ternary content addressable memory (TCAM) method. The engine can provide bit-level packet content filtering. The TCAM is organized by slice. You can use the display qos-acl resource command to display the QoS and ACL resource usage. For more information about the command, see HPE FlexNetwork 5130 EI Switch Series ACL and QoS Command Reference.

By default, the system uses the following QoS and ACL resources:

  • VFP ACL
  • IFP ACL
  • IFP Meter
  • IFP Counter

I definitely don't know what is that default.


I'm not an HPE Employee
Kudos and Accepted Solution banner
Apachez-
Trusted Contributor

Re: HPE 5130 HI maximum ACLs

Forgot to mention that in my case I use both IPv6 and uRPF which might be an explanation of the high reserved count.

Geppo
Occasional Contributor

Re: HPE 5130 HI maximum ACLs

Thank you very much for your help.
I'm sorry for my delayed reply..... I was out for holidays.
I was looking for detailed pre-sale information to understand if HPE 5130 HI is the correct replacement of the DLink DGS-3324SR we are using, still working but near to its end of life cicle.
Our network is segmented in 32 VLANs/class C Subnets (maximum theoretical) plus 3 VLANs reserved for "shared services".
The Layer 3 switch acts as a high speed router at the edge.
Each of the 32 VLANs can "talk" ONLY with Servers/Devices of the 3 "shared services" VLANs, but all traffic between them is blocked.
The 32 subnets are adiacent, so this is accomplished simply with just one rule applied on the four port trunk of the DGS-3324SR like this:
Source: 192.168.64.0  Wildcard Mask: 0.0.31.255 Destination: 192.168.64.0  Wildcard Mask: 0.0.31.255 Action: Deny
This blocks all inter-VLAN traffic.
Additional ACEs would be needed to make the gateway on each subnet pingable (preferable).
So I think we never will need more than 50 ACEs.
We have the choice to buy HPE 5130 HI or HPE 5510 HI, but cheaper is preferable (if sufficient).