I have a issue when configure on Cisco 3850
In 3850, I created 6 SVI to routing on local and I apply ACL for 5 SVI as bellow:
ACL 100 have 155 rules
ACL 150 have 259 rules
ACL 107 have 188 rules
ACL 111 have 155 rules
ACL 112 have 290 rules
When I apply ACL 108 have 159 rule to SVI 108, CPU switch is high 80% but before I apply ACL 108, CPU is 4%. This is log from 3850:
<188>377: Dec 14 13:16:09.309 UTC: %ACL_ERRMSG-4-UNLOADED: 1 fed: Input IPv4 L3 ACL on interface Vl108 for label 12 on asic255 could not be programmed in hardware and traffic will be dropped.
When I remove ACL 108 from SVI 108, CPU is normal (4%). I read this article: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3850-series-switches/118957-troubleshoot-sec-acl-tcam-cat3850.html. But I don't understand how to fix it?
Please help me
But I read this link, So I only Upgrade from Nova to polaris, is it right?
Try an IOS upgrade, however, the information found in the Bug ID is not reliable especially with the Known Affected Version and the Known Fixed Version.
But for now, try upgrading the IOS of the switch stack.
Let us know how you go.
Because I'm using Catalyst 3850 24T-E, So can I upgrade from IOS-XE 03.06.05E to version cat3k_caa-universalk9.16.06.04a.SPA.bin (https://software.cisco.com/download/home/284455433/type/282046477/release/Everest-16.6.4a). In this release I saw this Bug ID CSCvk42902 resolved. And I am consider between cat3k_caa-universalk9.16.08.01a.SPA.bin and cat3k_caa-universalk9.16.06.04a.SPA.bin. Is it ok for 2 this version with 3850-24T-E ?
I am buying Cisco C9300 to replace for 3850 and I am considering about ACL on C9300. I wonder, is there any bug about ACL in C9300 same as bug in 3850 to cause high CPU ?
I wonder, is there any bug about ACL in C9300 same as bug in 3850 to cause high CPU ?
Because the 3650/3850 and the 9K run on the same IOS-XE then whatever bug the 9K hit it will, most definitely, be found in the 3650/3850.
However, IOS upgrade can sometimes fix the issue.