10-12-2011 01:02 PM - edited 03-07-2019 02:46 AM
Hi.. I seem to have a problem when my access switches are configured with greater than 127 access-lists group'ed to interfaces.
The access-list group'ed to an interface with ex:
interface vlan 100
ip address 10.10.10.0 255.255.255.0
ip access-group 2333 out
does not function properly, but drops all packets, if the ACL label number is128, and probably also greater than 128.
I am running IOS 12.2(35) SE5 on C3560G, but cannot find any related bugs in Bug Toolkit regarding this. If I had reached a limit or was TCAM full, I would be getting an error in syslog, but there is nothing logged regarding this.
The ACL label limit as far as I can find should be 256 egress + 256 ingress = 512 total, but I seem to be hitting a bug or limit at 128.
I can move the problem between which interfaces has non working "ip access-group xxx out"' by changing the order (and ACL label number on each interface), so this effectively shows that the problem startes at "ACL label #128" as seen with "show platform acl label 128".The problem also persists, if I change the sdm template so I provoke a TCAM full (greater than 1024 ace's) and packets get routed in software by the CPU.
Anyone have any thoughts on this? And know if there is a related bug and in which version this might be fixed.
Thanks in advance
Regards,
/Ulrik
10-16-2011 11:44 PM
Numbers between 1 and 99, 1300 and 1999 or named explicitly with 'ip access-list standard name' can be used as a Standard ACL.
10-18-2011 05:08 AM
I'm not talking about the access-list number/name, I'm talking about the ACL label, that is inserted in the TCAM. As referred to in the following (for catalyst 6500 though):
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml
There should be an acl label limit (number of inserted ACL's in the TCAM?) for the C3560G which is 256 ingress and 256 egress, but I seem to be hitting a limit at number 128.
Again this has nothing to do with numbering and naming of the access-lists.
Anyone? 108 reads
Regards
Ulrik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: