This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How many entries can I add to ACLs on SZ100?

andrey_paramono
New Contributor II

‎11-13-2015 12:29 AM

I have a project where customer says that he needs:
1. MAC authorization in WLAN;
2. ACL entries number should be more that 8k.

I can't find in docs what is the limit of ACL entries number for any type of ACL (l2, l3/l4). So — how much MACs can I use to authorization? How much MACs can I add to ACL on every level?
9 REPLIES 9

kftl_it
New Contributor
In response to michael_brado

‎10-13-2020 02:42 PM

Cheers mate!
0 Kudos

eizens_putnins
Valued Contributor II

‎11-21-2015 06:00 AM

Hello,
It seams in the first place wrong design of the solution:
1. Mac authentication isn't secure and must be used as a last resort when no other types are supported by equipment (it usually the case with old (>10 years) industrial equipment only).
2. 8k ACL requirement isn't reasonable, as such ACL set is not actually maintainable.
So I would recommend to look in the solution design:
1. Check if really there is need for MAC authentication and if possible replace it with something really secure. If it is industrial installation with outdated devices and not much need for security, you can leave with MAC authentication using Radius server, but if possible - avoid it.
2. If you need to granularly restrict and allow access - use real L7 firewall for it. Any modern UTM device will do. They are cheap today too -- for 1kEur you will get 200-500MB/s UTM device with 3 year subscriptions (you can look on Watchguard, Sophos, Fortigate, there is plenty of them now). This will allow you to limit number of rules to some 20-50, which is realistically supportable, and would in fact provide much better protection, as you can use application based or content based rules. For example, no ACL combination can reliably disable gaming, porn any other illegal content access on network -- if it works for today, it will not work tomorrow anyway, as you would need to update it all the time. AL also doesn't work to disable application, which are designed to avoid limiting (P2P, Skype, TOR, so on). Just put standard UTM device between network and wi-fi and you get much better results.
This ACL requirement may be historical -- some Wi-Fi vendors have embedded firewall inside the WLAN controller, which do ACLs, of cause, this old-fashioned firewall can't be compared with modern UTM devices, but  when you used  it for a long time -- you start to think in this technology terms.
With UTM + Ruckus Wi-Fi you would have much better and secure solution, than any embedded ACLs could ever provide, as UTM is main business for firewall vendors, but not for Wi-Fi vendors, and without any doubt Ruckus has now the best Wi-Fi technology available on market, so combination is a good one...
Hope it helps.. 
0 Kudos

yasir_gulzar_73
New Contributor II

‎07-04-2017 12:07 AM

Dear Michael Brado thanks for the information for ZD series Controller can you provide any document for SZ100 controller also. My Client have similar requirement as posted above.

ahmed_nabil_9hx
New Contributor

‎04-11-2018 12:44 AM

how to deny more 128 mac address
i create new ACL but not block it
0 Kudos

dhanang_harja
New Contributor

‎09-24-2018 04:00 AM

I have similar case here. Do you have an answer yet?
Copyright © 2024 Khoros, LLC