Solved: Catalyste C3750 : %ACLMGR-3-INVALIDPARAM: Invalid ACL type 5 encountered

rdirlewanger · ‎02-16-2010

Hi,

I have a Catalyst 3750 with Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1). The image file is System image file is "flash:c3750-ipservices-mz.122-35.SE5/c3750-ipservices-mz.122-35.SE5.bin".

The command "show sdm prefer" returns :

#show sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses:                  3K
number of IPv4 IGMP groups + multicast routes:    1K
number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
number of IPv4 policy based routing aces:         0.5K
number of IPv4/MAC qos aces:                      0.5K
number of IPv4/MAC security aces:                 1K

I defined an in-bound IP extended ACL on one of its virual interfaces. No problem so far.

I inserted the fololwing line in this ACL :

permit udp any any reflect udptraffic

Now the switchs logs the following messages :

334: 08:55:34: %ACLMGR-3-INVALIDPARAM: Invalid ACL type 5 encountered

These messages disappear as soon as I remove the reflexive ACL. The command "show access-list udptraffic" shows that some traffic is catched by the reflexive ACL. I'm not sure that all of it is catched.

Is there a problem with reflexive ACLs on C3750-IPSERVICES-M, Version 12.2(35)SE5 ? Is there anything I can do to fix it ?

Thank you very much in advance.

Roland.

Giuseppe Larosa · ‎02-16-2010

Hello Roland,

a multilayer switch implements ACLs on the TCAM tables.

given the dynamic nature of reflexive ACLs is not possible to support them in hardware on the TCAM tables.

see

The switch does not support these Cisco IOS router ACL-related features:

•Non-IP protocol ACLs (see Table 32-1) or bridge-group ACLs

•IP accounting

•Inbound and outbound rate limiting (except with QoS ACLs)

•>>>>>Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch clustering feature)

•ACL logging for port ACLs and VLAN maps

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swacl.html#wp1599526

This does not change even in newer images

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swacl.html#wp1689441

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎02-16-2010

Hello Roland,

a multilayer switch implements ACLs on the TCAM tables.

given the dynamic nature of reflexive ACLs is not possible to support them in hardware on the TCAM tables.

see

The switch does not support these Cisco IOS router ACL-related features:

•Non-IP protocol ACLs (see Table 32-1) or bridge-group ACLs

•IP accounting

•Inbound and outbound rate limiting (except with QoS ACLs)

•>>>>>Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch clustering feature)

•ACL logging for port ACLs and VLAN maps

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swacl.html#wp1599526

This does not change even in newer images

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swacl.html#wp1689441

Hope to help

Giuseppe

rdirlewanger · ‎02-16-2010

giuslar a écrit :

Hello Roland,
a multilayer switch implements ACLs on the TCAM tables.

given the dynamic nature of reflexive ACLs is not possible to support them in hardware on the TCAM tables.

Thank you Giuseppe for your answer. I missed this point when I tried to

set up reflexive ACL on this level 2/level 3 switch.

I'll have to use static ACLs.

Roland.

--

Roland Dirlewanger

CNRS - Delegation Aquitaine-Limousin

Esplanade des Arts et Metiers

33402 TALENCE CEDEX

Tel : 05.57.35.58.52, Fax : 05.57.35.58.01

BrianSekleckiGE · ‎08-06-2020

I seem to have the same problem on Cisco IE4000 (Stratix 5400).

Is the Cisco IE4000 based on the same hardware platform a t the Cisco Catalyst 3750 ?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuk39644

~BAS