588 Configuring Access Control Lists
on less than 32 bits will be expanded internally to match on 32 bits with a
variable mask. This allows other ACLs using the same offset to utilize the
same slice with potentially different masks and match values.
The user interface limits for ACLs are 1023 rules per access list and 100 access
lists. The switch automatically combines slices to operate in parallel over
greater field widths (e.g., IPv6 source address) or combines slices to supply
more match conditions (IPv4 destination address equal to multiple ranges of
addresses). In the case of a match condition specifying a 128-bit IPv6 address,
additional slices are assigned to operate in parallel on specific portions of the
address. This reduces the overall number of slices available to match on other
key fields. The switch attempts to assign slices to match conditions in an
optimal manner; however, combinations of match conditions can reduce the
maximum number of ACLs that can be configured to fewer than the
published limits. As an example, the smallest IPv6 QoS match will take 6
slices from the switch.
The N4000 switches support the following hardware limits:
• 2047 ingress rules and 1023 egress rules, for a total of 3072 rules.
• The hardware has 10 ingress slices and 4 egress slices, with 4 ingress slices
having a depth of 128 rules, and 6 ingress slices having a depth of 256 rules.
The egress slices have a depth of 256 rules.
The N3000 switches support the following hardware limits:
• 3072 ingress rules and 1024 egress rules, for a total of 4096 rules.
• The hardware has 14 ingress slices and 4 egress slices, with the 14 ingress
slices having a depth of 256 rules. The egress slices have a depth of 256
The N2000 switches support the following hardware limits:
• 1024 ingress rules and 512 egress rules, for a total of 1536 rules.
• The hardware has 14 ingress slices and 4 egress slices, with the 14 ingress
slices having a depth of 256 rules. The egress slices have a depth of 256
The software limits are shown in Table 20-1: