cancel
Showing results for 
Search instead for 
Did you mean: 

How many entries can I add to ACLs on SZ100?

andrey_paramono
New Contributor II
I have a project where customer says that he needs:
1. MAC authorization in WLAN;
2. ACL entries number should be more that 8k.

I can't find in docs what is the limit of ACL entries number for any type of ACL (l2, l3/l4). So — how much MACs can I use to authorization? How much MACs can I add to ACL on every level?
9 REPLIES 9

michael_brado
Esteemed Contributor II
There is a 128 MAC address limit on ZD Access Lists

https://support.ruckuswireless.com/answers/000001750

No, it is not possible to have more than 128 MAC-address. 

The MAC filter (ACL) list can have a maximum of 128 MAC addresses per list.  You can create up to 32 lists, but can only apply one list (ACL) per WLAN/SSID.  This is a filter list that blocks or allows clients to pass traffic through the WLAN interface on the AP filtering on each received packet.

Note: Ruckus also offers MAC authentication. This is a different mechanism that involves true authentication using the Zone Director.  MAC authentication checks the MAC address of the clients against a RADIUS server, and allows connection to MAC that is listed.  The MAC address (written without delimiters, spaces, and colons) needs to be set as the login and password in the user data base of the RADIUS server.  The only limit to the number of MAC addresses is the size of the RADIUS data base (essentially unlimited).   Once authenticated the client traffic is allowed to pass.

https://support.ruckuswireless.com/answers/000002460

Layer 2 Access Control Lists (MAC ACLs) filter incoming traffic based on Layer 2 MAC header fields in the Ethernet/IEEE 802.3 frame.

Below are the steps to configure L2 ACL on ZD:

1) Navigate to ZD GUI>>Configure >>Access control.

2) Under L2/MAC Access control, create a new ACL and give it a name.

3) Choose between "Only allow all stations listed below' versus "Only deny all stations listed below" based on your requirement. And then type in all MAC addresses.

Please note that there is a 128 MAC address limitation per ACL.

Mapping the ACL to WLAN :

ZD GUI --> Configure -->WLANs --> Edit the WLAN --> Advanced Options --> Access control --> Choose the L2/MAC ACL from the dropdown (created as per the above procedure).

Important Note:  Make sure that the MAC addresses are correct and be consistent with the mac nomenclature.  In other words, chaging all of the mac addresses to lower case for a customer alleviated the issue.  He had some mac address of clients and some with all caps, changing all to lower case fixed the issue with allowing the whitelist to work.

Hello,

Given that there is a limitation on the amount of MAC addresses per ACL and only one ACL can be applied to an SSID at a time, what does RUCKUS propose as a solution for a SSID that should allow only 350 specific devices and block all others?

If it's the same 350 devices (MAC addresses), I'd simply create 350 DPSKs for the SSID and bind them to the respective devices MACs. 

How does one do that? (v3.6.2)