10-29-2019 06:56 PM
Dear All,
I would like to know the limitation of ACL on cisco switches.I am using cisco 2960 LAN base switches.
I am using PACL feature. So i would like to know how many line of acl rule in Main ACL rule.Let me what is impact if i put 200 line of acl rule ? I worry performance.
Eg.
access-list 101 permit ip 192.168.1.1 0.0.0.31 192.168.1.1 0.0.0.31
access-list 101 permit ip 192.168.1.1 0.0.0.31 192.168.2.1 0.0.0.31
.
.
.
access-list 101 permit ip 192.168.1.1 0.0.0.31 192.168.200.1 0.0.0.31
access-list 101 deny ip any any
Interface GE 0/xx
ip access-group 101 in
Solved! Go to Solution.
10-31-2019 01:04 AM
See:
...in which case you are using one of the templates which gives the highest TCAM allocation to IPv4 security ACEs. I would leave it as it is.
cheers,
Seb.
10-30-2019 01:24 AM
Hi there,
ACLs are implemented in hardware, the TCAM in particular, therefore the length of the ACL should have little impact on performance.
You can view the capacity of the TCAM for ACLs with the command sh platform tcam util all , in particular the lines with test "security aces" .
cheers,
Seb.
10-30-2019 03:04 AM
Hi,
Please see the pic,let me know 101/101 mean i am using 101 and maximum is 384 correct ? Let me know if i change SDM ,will it increase ?
10-30-2019 03:34 AM
Correct, but keep in mind that there is not a 1:1 mapping between masks and values, for example multiple ACEs can share the mask.
This is a good read:
https://learningnetwork.cisco.com/docs/DOC-27403
Yes, changing the SDM template will effect TCAM allocation. What platform and template are you using currently?
cheers,
Seb.
10-30-2019 06:36 PM
Hi,
I am using default SDM.
10-31-2019 01:04 AM
See:
...in which case you are using one of the templates which gives the highest TCAM allocation to IPv4 security ACEs. I would leave it as it is.
cheers,
Seb.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: