cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1073
Views
0
Helpful
4
Replies

when we remove ACE from ACL on Catalyst 3850,the traffic will be interrupted

Hi everyone,

 

At present, our customer has a problem, that is, some ACLs are configured on the Catalyst 3850 and applied to the SVI interface. For example, the following scenario:
Interface Vlan110
Ip address 10.110.10.1 255.255.255.0
Ip access-group MGT-V110-ACL in
No ip redirects
No ip unreachables
No ip proxy-arp
Ip pim sparse-mode

Ip access-list extended MGT-V110-ACL
Permit icmp any any
Permit udp any eq domain any
Permit udp any any eq domain
Permit ip any 224.0.0.0 0.0.0.255
Permit udp any eq 5514 5515 any
Remark SPLUNK-5
Permit udp any any eq snmp
Permit udp any eq snmp any
Permit udp any any eq snmptrap
Permit udp any eq snmptrap any
Permit udp any any eq ntp
Permit udp any eq ntp any
Permit udp any any eq syslog
Permit udp any eq syslog any
Permit tcp any any established
Permit tcp host 10.110.10.12 10.110.18.0 0.0.0.255 eq 22 443
Permit tcp host 10.110.10.12 10.110.82.0 0.0.0.255 eq 22 telnet
Permit tcp host 10.110.10.12 192.168.38.0 0.0.0.255 eq 22
Permit tcp host 10.110.10.12 10.110.128.0 0.0.0.255 eq 22
Remark IMCwangguan-2
Permit ip host 10.110.10.82 10.110.18.0 0.0.0.255
Permit ip host 10.110.10.82 10.110.82.0 0.0.0.255
Permit ip host 10.110.10.82 192.168.38.0 0.0.0.255
Permit ip host 10.110.10.82 10.110.128.0 0.0.0.255
Remark SPLUNK-5
Permit tcp host 10.110.10.8 10.110.0.0 0.0.0.255 eq 8089 9997
Permit tcp host 10.110.10.8 10.110.1.0 0.0.0.255 eq 8089 9997
Permit tcp host 10.110.10.8 10.110.3.0 0.0.0.255 eq 8089 9997
Permit tcp host 10.110.10.9 10.110.0.0 0.0.0.255 eq 8089 9997
Permit tcp host 10.110.10.9 10.110.1.0 0.0.0.255 eq 8089 9997
Permit tcp host 10.110.10.9 10.110.3.0 0.0.0.255 eq 8089 9997
Permit tcp host 10.110.10.10 10.110.0.0 0.0.0.255 eq 8089 9997
Permit tcp host 10.110.10.10 10.110.1.0 0.0.0.255 eq 8089 9997
Permit tcp host 10.110.10.10 10.110.3.0 0.0.0.255 eq 8089 9997
Remark AllInOne-nbu
Permit tcp host 10.110.10.13 any eq 22 3389 443 5899 telnet
Permit tcp host 10.110.10.14 any eq 22 3389 443 5899 telnet
Remark BaoLeiQianZhiJi-9
Permit ip 10.110.10.116 0.0.0.1 host 10.110.8.30
Permit ip 10.110.10.116 0.0.0.1 10.110.16.0 0.0.3.255
Permit ip 10.110.10.116 0.0.0.1 10.110.8.0 0.0.1.255
Permit ip 10.110.10.116 0.0.0.1 host 10.110.18.75
Permit ip 10.110.10.116 0.0.0.1 host 10.110.1.129
Remark NBUGuanLiJi-10
Permit tcp host 10.110.10.35 object-group NBUGuanLiJi eq 1556 13724 13782 902 443
Permit tcp host 10.110.10.99 object-group NBUGuanLiJi eq 1556 13724 13782 902 443
Permit tcp host 10.110.10.122 object-group NBUGuanLiJi eq 1556 13724 13782 902 443
Permit object-group Policy-11 object-group ZiDongHuaQieHuan host 10.110.10.159
Remark QuShiShaDu-12
Permit ip object-group QuShiShaDu object-group ShaDu
Remark lenovoxclarityGuanLi-13
Permit ip host 10.110.10.94 10.110.16.0 0.0.0.255
Remark brocadebanGuanLi-15
Permit ip host 10.110.10.97 10.110.17.0 0.0.0.255
Remark ibm-tpcGuanLi-16
Permit ip host 10.110.10.98 10.110.17.0 0.0.0.255
Remark zabbix-vcenter-17
Permit tcp host 10.110.10.109 host 10.110.8.30 eq 443
Permit tcp host 10.110.10.137 host 10.110.8.30 eq 443
Permit tcp host 10.110.10.138 host 10.110.8.30 eq 443
Permit ip host 10.110.10.109 object-group agent
Permit ip host 10.110.10.137 object-group agent
Permit ip host 10.110.10.138 object-group agent
Remark Policy-23
Permit tcp host 10.110.10.103 host 10.110.0.135 eq www
Permit tcp host 10.110.10.104 host 10.110.0.135 eq www
Remark Policy-29
Permit ip 10.110.10.86 0.0.0.1 any
Remark Policy-30
Permit ip any 10.110.10.86 0.0.0.1
Remark YingFangTongBu-31
Permit tcp host 10.110.10.163 object-group YingFangTongBu eq 26821
Remark vplexZhongCai-32
Permit ip host 10.110.10.136 10.110.17.0 0.0.0.255
Remark exsiGuanLivcenter-38
Permit ip host 10.110.10.115 host 10.110.8.30
Remark waf-41
Permit tcp host 10.110.10.58 10.110.18.164 0.0.0.1 eq 8080
Remark ShaDu-42
Permit tcp host 10.110.10.121 10.110.18.164 0.0.0.1 eq 8080
Remark wsus-43
Permit tcp host 10.110.10.90 10.110.18.164 0.0.0.1 eq 8080
Remark VSM
Permit ip host 10.110.10.123 10.110.8.0 0.0.0.255
Permit ip host 10.110.10.123 10.110.9.0 0.0.0.255
Remark waf-47
Permit ip host 10.110.10.58 host 10.110.18.159
Permit ip host 10.110.10.58 host 10.110.18.160
Remark splunk-50
Permit tcp host 10.110.10.8 host 10.110.3.8 eq 3306
Remark nbu_XuJiHuiFu
Permit tcp host 10.110.10.35 host 10.110.9.13 eq sunrpc 2049 7394
Remark Policy-52
Permit tcp host 10.110.10.8 host 10.110.0.41 eq smtp
Remark itsm-mail
Permit tcp 10.110.10.100 0.0.0.1 host 10.110.0.41 eq smtp
Permit ip host 10.110.10.84 host 10.110.1.194
Permit ip host 10.110.10.84 host 10.110.1.195
Permit ip host 10.110.10.84 host 10.110.1.196
Remark bst01App
Permit ip host 10.110.10.36 host 10.110.1.194
Permit ip host 10.110.10.36 host 10.110.1.195
Permit ip host 10.110.10.36 host 10.110.1.196
Permit ip host 10.110.10.84 host 10.110.1.90
Permit ip host 10.110.10.84 host 10.110.1.91
Permit ip host 10.110.10.84 host 10.110.1.92
Permit tcp host 10.110.10.84 10.110.0.0 0.0.3.255 eq 1556 13720 13724 13782 13783 902 443
permit tcp host 10.110.10.84 10.110.8.0 0.0.1.255 eq 1556 13720 13724 13782 13783 902 443
remark AllInOne-nbu
permit tcp host 10.110.10.36 10.110.0.0 0.0.3.255 eq 1556 13720 13724 13782 13783 902 443
permit tcp host 10.110.10.36 10.110.8.0 0.0.1.255 eq 1556 13720 13724 13782 13783 902 443
permit ip host 10.110.10.139 host 10.110.18.166
permit ip host 10.110.10.84 host 10.110.1.190
permit ip host 10.110.10.84 host 10.110.1.192
permit ip host 10.110.10.84 host 10.110.1.193
permit ip host 10.110.10.84 host 10.110.1.191

 

Is the number of these ACLs huge?

 

When we add an entry to the ACL, there is no impact, but when we delete the entry from the ACL, there is a brief traffic disruption.
Previously, I found "It programs its hardware with the ACL information it processes." in the Cisco documentation, which means that ACL information will be written into the hardware.
In view of the above situation, my confusion is why there is no traffic interruption when adding an ACL entry, but a traffic interruption occurs when an entry in the ACL is deleted.
Also, I found a bug: CSCvi01706, but about 4500, not 3850.

I hope you can help me solve this problem, I am very anxious, thank you.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
4 Replies 4

petenixon
Level 3
Level 3

Hi,

 

I think that's expected behaviour if you have a really large ACL, the switch will need to "recompile" it if you make a change to it. Best practice however, is to remove an ACL before you make a change. Once removed, you can make your change before you re-apply it to the interface.

 

ACE's are stored in the TCAM on a switch, so I would take a look at the TCAM utilisation in case you have other long ACLs that are causing resource exhaustion:

 

show platform tcam utilization

Hi petenixon;

Thanks for your response.
Do you think the example that about 80 to 90 ACE,whether it can be as a large acl?Is there any document for this?

Then,i have another issue is why i add some ACE in the ACL,the problem cannot be happen?it only happened when we remove the ACE in ACL.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Hi,

You'll be limited on a switch to the maximum number of access control entries which are defined by whichever SDM template you are using. You can check your current SDM template by using the command:

show sdm prefer

And again, I would follow that up by checking the TCAM utilisation using the command in my previous post.

I would say that any ACL is too large if you can summarise some of the entries and you're not doing that. I would definitely offload any ACLs that you can to a firewall (if you have one). I'd also log the entries until you can see which ones are actually needed.

 

Out of interest, how are you evidencing the traffic interruption?

Hi petenixon;

we did not config the sdm prefer,so the config is default,that will support 3K Security ACEs.But,in this case,the all acls don't up to 100 entries.
this issue is happened when we remove some unuseful ACEs,and it is also happened on Catalyst 3650.So,i think it will be a bug,but i cannot find any bug id for this.
Well,We met this issue because of we remove the ACEs which is unuseful,all the work traffic and management traffic interrupt,about seven second.For test this,we do it three times,but the ending same.we add ace to the acl,the traffic won't interrupt,but if we remove any one ACE,the issue will be display.
In addion,the software release is 03.07.04E for C3850.Do you have some ideas for this?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: