Comment 0 for bug 1701093

Build: 2.21.3-71

It looks like we are hitting some contrail limits on the number of ACL rules that can be applied on a particular network. The network in this case has two policies applied to it. These two policies combined together result in 169 ACL rules which seems to be past the limit that we have identified. We could create 134 rules without any issues but Contrail didn’t accept rules more than that. The problem is that when the rule limit hits, Contrail is not able to process these ACLs and push them down to the vrouters which means that these rules don’t take effect and that’s why we see connectivity issues.

Steps to reproduce:
- Create a contrail virtual network
- Create a policy with 135 rules
- Add this policy to the virtual network
- Boot a VM on this network
- Look at the ACLs installed on the vrouter
- ACLs in the policy not pushed to the vrouter, it has two default ACLs

Repeat this with a lower number, for eg. 120 rules in a policy and you will see the ACLs being installed on the vrouter.