Business Community > Switches > IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
< Switches

IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit

IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit

IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
2024-08-07 12:06:59
Model: TL-SG3210XHP-M2  
Hardware Version: V1
Firmware Version: 1.0.13 Build 20230602 Rel.76586

I'm trying to figure out how come I can't seem to add a switch ACL rule.

 

I have 4 active ACL rules and when I try to turn on the 1st rule, I get the message - IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit.

 

All firmware is up-to-date for every component.

 

The client setup is as follows:

 

Router - ER8411 v1.0

Controller - OC300 1.0 (with Controller Version 5.14.26.23)

Switch - TL-SG3210XHP-M2 v1.0

APs - EAP 683UR x 4 units

 

I have a similar ACL configuration at another site using OC200, ER605 and TL-SG2210MP  and all 5 rules work and can be enabled on the switch.

 

Appreciate if anyone with a similar setup can assist me. 

 

Much thanks

 

 

  0      
 
  0      
 
#1
Options
10 Reply
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
2024-08-08 12:37:27

Does anyone have anything on this? I'm sure I cannot be the only one facing this...

  0  
  0  
#2
Options
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
2024-08-09 01:57:21

Hi @WiFi_Done_Right 

Thanks for posting in our business forum.

Run the CLI.

Related commands can be, for extra details, please see the CLI User Guide.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#3
Options
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
2024-08-09 04:39:57

Hi @Clive_A 

 

Thank you for the reply and for the CLI suggestion.

 

However, may I know what I am looking for in the first place?

 

Your suggestion doesn't explain why 5 ACLs work in one setting and not in another when the hardware specification is even higher.

 

The screenshot below is the same 5 ACL rules of the following setup

ER605 v2.0

OC200 v2.0 (controller version 5.14.26.23)

TL-SG2210MP v3.0

 

 

 

 

 

 

  0  
  0  
#4
Options
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
2024-08-09 05:54:13

Hi @WiFi_Done_Right 

Thanks for posting in our business forum.

WiFi_Done_Right wrote

Hi @Clive_A 

 

Thank you for the reply and for the CLI suggestion.

 

However, may I know what I am looking for in the first place?

 

Your suggestion doesn't explain why 5 ACLs work in one setting and not in another when the hardware specification is even higher.

 

The screenshot below is the same 5 ACL rules of the following setup

ER605 v2.0

OC200 v2.0 (controller version 5.14.26.23)

TL-SG2210MP v3.0

 

 

 

 

 

 

 

Is that completely identical ACL for the identical subnet and CIDR? Note that the rule does not mean it is the same codes behind the scenes.

I mean, I created a rule, exactly the same as site A(subnet 192.168.0.1/24). I am on site B while I have a subnet of 192.168.0.1/16. This cannot be the same thing.

Same rule from the GUI level, but not the same thing behind the scenes.

 

Try this command: sh sdm prefer used

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#5
Options
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
2024-08-10 04:11:22

  Hi @Clive_A 

 

Yes, I am using identical subnets and CIDR, just a different site with higher grade hardware.

 

The subnets are as follows:

 

1) 192.168.0.1/24 (Admin LAN)

2) 192.168.10.1/24 (guest),

3) 192.168.20.1/24 (team 1)

4) 192.168.30.1/24 (team 2)

5) 192.168.40.1/24 (team 3)

 

Unfortunately I cannot access the client site to link up with the switch and perform CLI at the moment.


Are there any steps I can try remotely via the Omada controller?

 

I have attempted to reset the switch yesterday and re-did the ACLs all over again but still face the same issue.

  0  
  0  
#6
Options
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
2024-08-30 14:19:18 - last edited 2024-08-30 14:19:54

Hi @Clive_A  Any feedback on this? Would like to know if this is a software or hardware limitation.

  0  
  0  
#7
Options
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
2024-10-27 16:13:33

  @WiFi_Done_Right Did you get anywhere on this? I'm facing the same issue.

  0  
  0  
#8
Options
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
2024-12-12 06:24:23

  @buswedg sorry but I've not had any luck i'm afraid

 

and the good ol folks at TP Link have also gone quiet.

  0  
  0  
#9
Options
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
Wednesday

Same issue and no solution.

  0  
  0  
#10
Options
Re:IP-Port Group cannot be applied in Switch ACL because its port count exceeds the ACL limit
Вчера - last edited Вчера

  @WiFi_Done_Right 

 

There is a limit to how many behind-the-scenes rules can be made.

 

For example, if you make a rule

 

[range 1, range 2, range 3, range 4]  BLOCK> [another range 1, another range 2, another range 3  ports 22,80,443)

 

it actually has to create a "behind the scenes" rule for every single element of this, which is 4x source to 9x destination = 36 rules

 

The best way of combating this is by trying to supernet as many ip ranges into one larger one as possible

 

EG

 

if you are blocking a 10.0.0.0 vlan to all your 192.168.0.0 networks, dont list the destinations individually, use 192.168.0.0/16 to cover them all in one rule.

 

Its also worth noting that in ip-port groups, it doesnt count a port range as one rule, it still has to cover each port in the range

so, setting destination ports 80-443 in one single box it will try to create MANY rules for all the ports in between.  However, if you have 80,443 in the boxes seperately, its just one rule for each port.

  0  
  0  
#11
Options

Information

Helpful: 0

Views: 921

Replies: 10

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.