Hi Paul,
There is no practical upper limit specified for any router. All the design documents will list general guidelines. As far as I can see no one has done any experimental research into this area and probably with good reason. We know that router performance degrades as the average depth the router has to search for a match increases. But so much depends on how the ACL is designed in the first place. As performance degrades to the point where it is unacceptable to the end user, there are lots of performance tweaks that can be employed to redress this. Increasing the memory, using switching strategies and using turbo access lists are all viable solutions to ACL performance issues. From the stark question of how many access list entries can I have, I would say around 3000 or so. This is based on the amount of NVRAM available to store the config. However, having said this, there is no unwritten rule that says you must store the config there. The router can be configured to pick up the working config from a TFTP server for instance. Then the size of the config is only limited by the available DRAM which can be upgraded to whatever the specified limit is and then we are limited by the requirements of the other users of DRAM etc etc etc etc. So the only way that a precise answer will ever be derived is to re-create the customers access lists in the lab and pump traffic captured from the customers network through it using a packet generator. In the end, not worth the aggravation I'd say
Thanks,
Bhadri