cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
823
Views
3
Helpful
16
Replies

Puzzling results when pasting in ACL config to switch

Hello, 

I was creating 2 decently large ACL's to match some traffic today and I noticed something peculiar that has me puzzled. 

My first ACL has approx 90 ace's and pastes them fine. When I go back and look at the ACL, it looks like there are only like 10-15 ace's and an any/any pasted as the second entry even though I did not paste this. 

Strangely enough my other ACL had 380ish ace's and the ACL looks fine. 

I have duplicated this multiple times across 2 different terminal emulators with the same results and I am completely perplexed by this.

1 Accepted Solution

Accepted Solutions

Jesus. . . I just had a DUH moment. 

So this was a large spreadsheet of static routes that I wanted to match against an ACL. I have multiple concatonate functions running to clean up the configs and most importantly match and replace functions to inverse the subnet masks. I just realized it never changed the 255.255.255.255 to 0.0.0.0 and those were the ones that were a problem.

I must have changed them properly on the other rule, but it didnt apply to this one. Sorry guys

View solution in original post

16 Replies 16

Joseph W. Doherty
Hall of Fame
Hall of Fame

Cannot comment on your specific case but will say in the past I've had issues pasting voluminous config statements.  Never figured out why it would or wouldn't work.  What seemed to always work was to place voluminous config statements in their own file on my PC and copy them to the Cisco device using the Cisco copy command.

Can you clarify what you mean?

I just tried manually adding the missing ace's and they are not adding. Now I wonder if I am hitting a bug, because I feel like one could never hit the acl/ace limit that the devices can handle. I just need to confirm that information. 

Is there a command to see total acl/ace by chance to see if I am at that limit? I am on 9606r's and looks like for SUP1 the limits are 12,000-27,000

Sorry, clarify what, my having experienced similar issue while pasting or copying config statements?

The part about copying the files. I am not sure I follow what you advised that worked for you. So you were just tftp'ing the files over?

 

Yes, tftp or FTP or RCP.

Place ACL in text file that can be read from one of the foregoing and then use command line copy statement using forging as from target and running-config as to target.  (Do you need sample?)

As you likely know, copying to running does a merge, not a replace.

Thank you for clarifying. I have since tried to manually update the ACL with no luck as well, so this is going to be a bit more complex. Maybe a bug reached?

I've done config modifications using programs and VTY w/o issue.  My guess is with some terminal programs don't coordinate their paste transmission with device buffering.

MHM

I just do the same way I always do ACLS

ip access-list extended %ACL_NAME%

permit ip any %DEST IP ADDRESS + INVERSE MASK%

I looked up the ACL limits for this switch and I am no where even close to any limits. I also looked at the ASIC stats and do not see anything alarming. 

MHM

 

I have never created sequences ever in an ACL. Sequences auto create when you add te ACE's. I only ever use sequence commands when I need one to be specifically placed on a list for some need. 

As mentioned in the first post, I created 2 new ACL's. Both were done in the same way and the larger one took, but the smaller one did not

 

MHM

This is not applicable. Again one ACL took fine and the other did not past 22 ACE's. It appears there is a limitation in some fashion. 

I have a TAC case opened at this point since I have now gotten to the point I cannot manually enter any more ACE's to this list. I have not created another ACL to test as at that point I am just creating work and guessing wasting time I think. 

RAdamWilliams
Level 1
Level 1

Can you post the ACLs?

Review Cisco Networking for a $25 gift card