Showing results for 
Search instead for 
Did you mean: 

3750 ACL design


The customer is using fourscout security software to authenticate and separate manufacturing and corporate environment.
The catalyst 3750 supports 3000-3500 acl entries.
Currently each host requires an acl entry which will out last ACL limit on 3750 switch. Basically 4000 host/ entries are required.
Since this is more of a design issue , the client is open for recommendations.

One Idea is to create Vlans for x amount of host and have them match ACL or AD authentication and not to worry about mapping each host with individual ACL

What would you recommend? The client will not changes catalyst 3750 switches .

How can we design so that we stay within 3750 ACL list and supports not only 4000 users but also thousands more.

Any help will be greatly appreciated.


Sent from Cisco Technical Support iPhone App

3 Replies 3

Vivek Ruhil
Cisco Employee
Cisco Employee

Hi Mustafa

It is never a good design to have 4000 ACE in a single ACL. So I guess there are really two options:

1. Modify the ACL to have lower entries use wild card masks to reduce the size of the ACL. I mean its not like that the customer has such a dis-contiguous network that you cannot club entries together. By the way, why such a peculiar requirement ?

2. Like you said, create multiple vlans.

But I would recommend option 1.


In what way does each host require an ACE? Can you post an example? Can you create ACEs that contain subnets instead of host entries?

You may need to look at a dedicated security appliance like an ASA 5510. It will scale much better and will be much easier to manage with the use of object groups. The exact model of ASA will depend on your needs. 3750s have specific hardware limitations. Check out SDM templates. Will not scale very well in this scenario.




A free, open source network device configuration management tool, customizable to your needs!

Sent from Cisco Technical Support iPhone App

========================== A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Qi Chen

I am agree with Vivek Ruhil. You would add a device just like ACS or ISE policy engine.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: