There's definitely a limit as

scdladmin · ‎10-11-2016

In our main building there are 6 closets, 5 of which have a 2960 stack.

In the past, when configuring switches in these closets, we have always used port-based ACLs inbound and never had any issues due to ACLs.

We also prefer port-based (PACL) over vlan interface (VACL) ACLs. VACLs open up intra-switch/stack holes and - in our case - cause increased network traffic.

Ever since installing the 2960 stacks, we have experienced very odd behavior with regard to ACLs.

Here are some of our experiences:

- Two interfaces assigned to the same ACL - one communicates, the other does not. If you remove the ACL from the interface configuration, the non-working device now communicates;

- Same ACL allows communication for interfaces in 4 closets, but not all interfaces in 5th closet;

- Change ACL and apply. Same results as above, most interfaces communicate but some that were communicating now stop;

- Change ACL and apply. Interfaces assigned to a different ACL stop communicating.

So, I am left to wonder...

Is there some kind of limit, or aggregate limit, to ACLs - or maybe ACEs - per 2960 switch or stack?

If so, what is it? Can the limit be changed?

I haven't found any documentation describing this, but it's the only thing I can think of that would explain the bizarre behavior we have experienced.

TIA

Rick

nspasov · ‎10-12-2016

Hello Rick-

There is definitely a limit on the number of ACEs that you can have applied on the switch. That limit is driven by the TCAM resources of the switch. You can check that with the following command:

show platform tcam utilization asic all

You can also use the following command (followed by the asic number) to check if there has been any drops:

show platform acl statistics

Some switches have the functionality to be re-programmed to allocate its resources differently via SDM templates. For more information on that please reference the following link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swsdm.html

I hope this helps!

Thank you for rating helpful posts!

scdladmin · ‎10-12-2016

Thanks for the replies.

Checking the TCAM utilization shows that we aren't anywhere close to the maximums on any of the switches/stacks.

Must be another reason for the bizarre behavior we are experiencing.

nspasov · ‎10-12-2016

Well, there are many things that can cause this. For instance, a simple thing as a BUG :) Can you provide some more info:

1. Version of code that you are running

2. The exact syntax of the ACL that you are trying to apply

3. Output from the following commands (after you have the ACLs in place and the issues are occurring):

show buffers

show interfaces | i drops

show proc cpu his

show proc mem

show run | sec spanning

show spanning-tree detail | i VLAN|topology change

show logging

Also, you can apply the "log" keyword on your ACL entries. This will help you determine if the ACLs are the cause of the traffic drops.

Thank you for rating helpful posts!

Marvin Rhoads · ‎10-12-2016

There's definitely a limit as they consume TCAM resources which are more limited on the lower end Cat 2k platform. That's one of the reason you pay less or them. :)

I can't find the definitive guide at the moment but do recall the Trustsec folks citing this limitation as one of the reasons why it's preferable to use SGTs with SGACLs vs. classic ACLs

Is there a limit to ACLs/ACEs on a Catalyst 2960 switch