Wondering if anyone has an answer for something I am seeing on my 3750E series switches (WS-C3750E-48TD). I have multiple VLANs configured on here, one which is used as a 'workstation' VLAN. I have an inbound ACL applied to the VLAN interface *(int vlan 50 to be exact). This list is admittedly long at roughly 6000 ACE's. Now I just recently installed these switches as they replaced some 4507R switches which we moved to our new centralized DC. Here is the issue I am having. This same ACL was applied to the same VLAN interface on the 4507s when they were doing the work of the 3750s. What I used to be able to do was actually edit the ACL by removing it with no ip access-list extended WS-In and then followed up by the ip access-list extended WS-In ......and the lines I wanted in the ACL. I know I could use the line numbers to edit the ACL but this worked OK for me. When I would do this on the 4507R, the ACL was still applied to the interface but traffic never seemed affected by the removal and re-adding of the ACL. I did this by copying and pasting the ACL into a terminal window. It seemed as though on the 4507 the ACL was not compiled until the entire thing was in loaded in and therefore traffic was not processed by the ACL until the load was done. I have no evidence that this is the way it worked other than what was observed.
With the 3750 I have basically the same setup. Only issue is that when I load the ACL it seems to start blocking traffic until all the ACEs are loaded. So depending on where an ACE exists in the ACL determines how soon the traffic it affects gets allowed again because of the time it gets loaded in if that makes sense. In other words, if I have an ACL with 3 ACEs in it, if I remove that ACL while its applied to the interface, and then immediately add in the ACES one at a time in quick succession, ACE 3 will be delayed until ACEs 1 and 2 are loaded. If ACE 3 is something like allow www traffic, then users cannot seem to get to the web until that ACE is loaded. I have not had time to test this fully to see what is actually happening but I basically shutdown this workstation network when I did this. I cannot tell if this is a result of the switch CPU getting taxed because it’s trying to compile the ACEs or if it’s the fact that as the ACL ACES are loading, traffic is slowly being permitted as they get loaded in.
My question here is does anyone know if there is a difference in the way ACLs are compiled on the 3750E switch versus the 4507R. And does anyone know why loading ACES in quick succession would bring a 3750 to its knees? I never had any issue with doing this on the 4507 switches. I plan on trying to test this on our maintenance window on Thursday to get additional information. As always thanks for the help.
OK after some testing here it seems that the switch has issues with loading and compiling the ACL while the ACL is applied to an interface. If I un-apply the ACL from the interface first, then reload the ACL into the switch, then re-apply the ACL to the VLAN interface, then the switch does not seems to have an issue with it. I discovered that one of my ACLs did not even properly compile and was allowing traffic through that the ACL would normally block. Not good. Any help here would be great.
This has been fixed. It seems the switch was running out of TCAM space to input the ACL. I switched to a new SDM template and now the switch has enough resources to input the ACL and switch traffic in hardware rather than punt. All is workingn good now.