Just wondered if there is a maximum number of lines on an access-list. I currently have an access-list of around 850 lines on a 4506 switch which is becoming unmanageable. I'm concerned we might reach a point where we can add no more lines to the access-list. I'm therefore proposing we give access to whole subnets rather than individual ip's. I just need some ammunition for my proposal so any other reasons why we should reduce its size would be appreciated.
I have no idea the max number of ACL's you can have. But you do want to minimize the size of this since your switching is going to have to inspect every line of the ACL which is going to have an impact on the CPU (Could cause delay with packets). I would try to bring this size down.
I recall one risk on many switches with large ACLs, you might overflow the TCAM resource. If you do, you'll shift performance from your ASICs to the main supervisor CPU (something you'll want to avoid).
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
