Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
2
Helpful
8
Replies

Error with Reflexive ACL - %ACLMGR-3-INVALIDPARAM: Invalid ACL type 5

Josh Mil
Level 1
Level 1

‎09-01-2025 04:11 AM

Reflexive ACLs are configured on a C3560-CX switch to regulate inter-vlan traffic.

Simplified settings to describe the scanario:

interface Vlan10
ip access-group acl_in in
ip access-group acl_out out

access-list acl_in
permit icmp any any reflect acl_reflexive

access-list acl_out
evaluate acl_reflexive

This is intended to allow icmp traffic entering the vlan, if and only if the traffic is initiated from inside the vlan. Actually, it works. If I ping outside from a host inside this vlan, a dynamic entry is automatically added to the reflexive ACL, and echo reply is received.

However, an error message is displayed every time when the dynamic entry is created and when it times out.

The error message is like this:

%ACLMGR-3-INVALIDPARAM: Invalid ACL type 5 encountered
-Traceback= 7BA92Cz 3751AE8z 3750720z 3FE19A4z

 

I have done some searches on the internet but there is not much information related to this.

 

Labels:
0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎09-01-2025 04:25 AM

""ACLs on Catalyst switches are compiled and pushed to TCAM — reflexive ACLs are software-based and don’t fit that model.""

As workaround to make this ACL work in Software use 

permit icmp any any reflect acl_reflexive log

But again this ACL not design to work in old IOS SW it work good for IOS Router.

MHM

Josh Mil
Level 1
Level 1
In response to MHM Cisco World

‎09-02-2025 03:20 AM

Thank you.

If reflexive ACLs are implemented by software on layer 3 switches, does it still have any advantages in comparison to routing through a router? The purpose of routing on the switch is to achieve higher performance, as switching is considered faster than routing.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Josh Mil

‎09-02-2025 03:37 AM

If reflexive ACLs are implemented by software on layer 3 switches <<- what you meaning by this ??

The purpose of routing on the switch is to achieve higher performance, as switching is considered faster than routing.<<- SW have both hardware and software switching' router have only software switching (some high end router have also hybrid mode)' so we need L3SW it fast than Router.

MHM

0 Helpful

Jens Albrecht
Spotlight
Spotlight

‎09-01-2025 09:19 AM

Hello @Josh Mil,

as mentioned by @MHM Cisco World reflexive ACLs are best supported on routers but have limited support on these switches.

The error message you get is triggered internally by the ACL manager process (ACLMGR) when it encounters a reflexive ACL (type 5) in a context or configuration that is not fully supported,

Despite the error message, the ACL may still work, meaning it creates dynamic entries for initiated traffic, but the switch logs these errors every time a dynamic entry is added or removed.

So if the reflexive ACL is working as expected, and main services are unaffected, the error may be safely ignored as just a cosmetic issue.

Make sure to consistently monitor CPU load and memory usage in this case!

HTH!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jens Albrecht

‎09-01-2025 01:13 PM

My colleagues have made good points about reflexive acl on switches, and they are likely on target. But I will observer that any time you get Traceback it is a sign of a software problem. Perhaps it is that a not supported function generates this, but I wonder if a different version of code might behave differently.

HTH

Rick
0 Helpful

Josh Mil
Level 1
Level 1
In response to Jens Albrecht

‎09-02-2025 03:22 AM

Thank you. Although it's still working, I'm now concerned about the performance. We choose to route between VLANs on the switch because we thought it's faster than using a router, but if it's implemented by software, is it still faster?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Josh Mil

‎09-06-2025 09:49 AM

You ask an interesting question about is it faster (or to phrase it slightly differently are there performance advantages of doing the routing on the switch). And it is not easy to get a definitive answer. In part it might depend on what type/model/version of switch and what type/model/version of router. It might also depend on the volume of traffic being handled. And I would suggest that it also depends on whether the subnets/vlans of the hosts are on the same switch, or whether one host is local and the other host is remote. If one host is remote I believe that performance would be better if routing were done on the upstream device, since now all the switch needs to do is to make a layer 2 forwarding decision. If both hosts are local to the switch I believe that performance is better if routing is done on the switch since it avoids the overhead of sending the frame to the router and receiving the frame from the router.

HTH

Rick
0 Helpful

tiagobsb1@gmail.com
Level 1
Level 1

‎09-02-2025 01:18 PM

muito bom 

0 Helpful
Customers Also Viewed These Support Documents