Hi The customer is using fourscout security software to authenticate and separate manufacturing and corporate environment. The catalyst 3750 supports 3000-3500 acl entries. Currently each host requires an acl entry which will out last ACL limit on 3750 switch. Basically 4000 host/ entries are required. Since this is more of a design issue , the client is open for recommendations.
One Idea is to create Vlans for x amount of host and have them match ACL or AD authentication and not to worry about mapping each host with individual ACL
What would you recommend? The client will not changes catalyst 3750 switches .
How can we design so that we stay within 3750 ACL list and supports not only 4000 users but also thousands more.
It is never a good design to have 4000 ACE in a single ACL. So I guess there are really two options:
1. Modify the ACL to have lower entries use wild card masks to reduce the size of the ACL. I mean its not like that the customer has such a dis-contiguous network that you cannot club entries together. By the way, why such a peculiar requirement ?
In what way does each host require an ACE? Can you post an example? Can you create ACEs that contain subnets instead of host entries?
You may need to look at a dedicated security appliance like an ASA 5510. It will scale much better and will be much easier to manage with the use of object groups. The exact model of ASA will depend on your needs. 3750s have specific hardware limitations. Check out SDM templates. Will not scale very well in this scenario.