Catalyst 9800のFlex Profileの最大Policy ACL数

Catalyst 9800のFlex Profleにおける最大Policy ACL数は 32 のようです。(v17.14.1時点)

ドキュメントで情報を見つけられなかったため、C9800-CLのv17.14.1 (vSphere版)とv17.7.1 (Azure版)で実機検証を行いました。
本記事の画面キャプチャやログは v17.14.1 (vSphere版)をベースにしています。

最大数に抵触時のエラー

エラーメッセージにACL (Policy ACL)の最大数が 32 である旨が出力されます。

CLIでのエラー

CLIで上限を超えようとすると下記のエラーが表示されます。

% node-1:dbm:wireless:The maximum number of ACLs:32 have been added to the flex-profile.

参考程度に下記は検証で流し込んだ際の全体的な作業ログです。

wlc01(config)#ip access-list extended TEST_01
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_02
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_03
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_04
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_05
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_06
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_07
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_08
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_09
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_10
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_11
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_12
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_13
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_14
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_15
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_16
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_17
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_18
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_19
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_20
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_21
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_22
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_23
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_24
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_25
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_26
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_27
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_28
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_29
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_30
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_31
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_32
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#ip access-list extended TEST_33
wlc01(config-ext-nacl)# 1 permit ahp any any
wlc01(config-ext-nacl)#
wlc01(config-ext-nacl)#exit
wlc01(config)#
wlc01(config)#wireless profile flex FlexProf_Test
wlc01(config-wireless-flex-profile)# acl-policy TEST_01
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_02
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_03
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_04
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_05
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_06
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_07
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_08
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_09
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_10
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_11
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_12
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_13
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_14
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_15
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_16
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_17
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_18
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_19
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_20
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_21
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_22
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_23
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_24
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_25
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_26
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_27
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_28
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_29
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_30
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_31
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_32
wlc01(config-wireless-flex-profile-acl)# acl-policy TEST_33
% node-1:dbm:wireless:The maximum number of ACLs:32 have been added to the flex-profile.
wlc01(config-wireless-flex-profile)#

Web UIでのエラー

Web UIで上限を超えようとすると下記のエラーが表示されます。

Error in Configuring Flex Profile
The maximum number of ACLs:32 have been added to the flex-profile.

AireOS時代の制約

Catalyst 9800 (IOS-XEベース)ではなく、AireOS時代のドキュメントであれば、FlexConnectにおけるACLの制約の情報がありました。

FlexConnect Wireless Branch Controller Deployment Guide - Cisco
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/FlexConnect_DG.html

A maximum of 32 ACLs can be mapped per FlexConnect group or per FlexConnect AP.

At any given point in time, there is a maximum of 16 VLANs and 32 ACLs on the FlexConnect AP.

myhomenwlab.hatenablog.com