cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
654
Views
0
Helpful
2
Replies
Highlighted
Beginner
Beginner

Traffic is dropped when ACL label number is 128 (or greater?) on C3560G

Hi.. I seem to have a problem when my access switches are configured with greater than 127 access-lists group'ed to interfaces.

The access-list group'ed to an interface with ex:

interface vlan 100

ip address 10.10.10.0 255.255.255.0

ip access-group 2333 out

does not function properly, but drops all packets, if the ACL label number is128, and probably also greater than 128.

I am running IOS 12.2(35) SE5 on C3560G, but cannot find any related bugs in Bug Toolkit regarding this. If I had reached a limit or was TCAM full, I would be getting an error in syslog, but there is nothing logged regarding this.

The ACL label limit as far as I can find should be 256 egress + 256 ingress = 512 total, but I seem to be hitting a bug or limit at 128.

I can move the problem between which interfaces has non working "ip access-group xxx out"' by changing the order (and ACL label number on each interface), so this effectively shows that the problem startes at "ACL label #128" as seen with "show platform acl label 128".The problem also persists, if I change the sdm template so I provoke a TCAM full (greater than 1024 ace's) and packets get routed in software by the CPU.

Anyone have any thoughts on this? And know if there is a related bug and in which version this might be fixed.

Thanks in advance

Regards,

/Ulrik

Everyone's tags (5)
2 REPLIES 2
Highlighted
Beginner

Traffic is dropped when ACL label number is 128 (or greater?) on

Numbers between 1 and 99, 1300 and 1999 or named explicitly with 'ip access-list standard name' can be used as a Standard ACL.

Highlighted
Beginner
Beginner

Re: Traffic is dropped when ACL label number is 128 (or greater?

I'm not talking about the access-list number/name, I'm talking about the ACL label, that is inserted in the TCAM. As referred to in the following (for catalyst 6500 though):

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml

There should be an acl label limit (number of inserted ACL's in the TCAM?) for the C3560G which is 256 ingress and 256 egress, but I seem to be hitting a limit at number 128.

Again this has nothing to do with numbering and naming of the access-lists.

Anyone? 108 reads

Regards

Ulrik

Content for Community-Ad