08-02-2011 05:37 PM - edited 03-07-2019 01:31 AM
Hi All
I receive a strange message from our 3750 switches.
I'm running a couple of ACL. One of them called by around 6 Vlan interfaces give me trouble.
Today I deleted one entry of the ACL to replace it by another and I received this message :
More than 5000 entries can not be added to the ACL ACLName
My ACL have 40 lines. (not more than 5000 )
I look around on google, cisco site, expert exchange but I cannot find anything about that.
Anyone have an idea ?
Thank you veru much
NOTE :
- IOS version : c3750-ipservicesk9-mz.122-50.SE5
- Switch model : WS-C3750G-24
- I recently switch the SDM prefer to routing instead of default to be able to do IPv4 policy-based routing
08-11-2011 11:05 AM
This could be TCAM exhaustion. Different ACL structures (like > or <) take up more resources in the TCAM and if you use them a lot it can add up.
You can verify the current state like this:
show tcam [inacl|outacl] [tcam #] statistics
Or if you're on newer 3750 code:
show platform tcam utilization
Why don't you share your 40 line ACL with us and maybe we can determine what is happening?
09-08-2011 01:01 PM
Here's my sh tcam utilization :
famcoloswL3#sh platform tcam utilization
CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values
Unicast mac addresses: 400/3200 33/185
IPv4 IGMP groups + multicast routes: 144/1152 6/26
IPv4 unicast directly-connected routes: 400/3200 33/185
IPv4 unicast indirectly-connected routes: 1040/8320 131/970
IPv4 policy based routing aces: 384/512 8/20
IPv4 qos aces: 768/768 324/324
IPv4 security aces: 1024/1024 929/929
Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization
Are you seeing something special in this ?
08-11-2011 02:50 PM
Hello,
I would recommend you to open a TAC with Cisco. Doesn't sound like something normal, even though i was not able to find any bugs for this version. Might be something they didn't catch yet.
Anyway, have you tried re-creating the ACL from scratch? Something unexplainable might be fixed by something unexplainable .
Regards,
Bruno Silva.
08-11-2011 03:04 PM
Hello,
we have seen similar issues in the past where it got resolved when we removed the ACL completely and re-configured it back again. we were not able to reproduce this problem in LAB. This is one of those corner case.
If you still face the problem after the above workaround go ahead and open a TAC case.
Thanks,
Ricky Micky
09-08-2011 03:10 PM
I went through the database to see if this is a known bug and found that there are several similar issues
but all of them have no root cause because the symptom couldn't be
reproduced, but the following workarounds were applicable.
1- Remove the ACL , reconfigure it and apply it again.
2- Create another ACL with another number apply it.
3- Reload (didn't work all the time).
Regards,
Amit
11-13-2016 10:16 PM
i am experianced this issue. I can not add a new entry in one ACL, let say access-list BLOCK. But i can add another entry in another ACL.
Here is TCAM output.
Checking the platform and here is the output:
sh platform tcam utilization
CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values
Unicast mac addresses: 784/6272 92/662
IPv4 IGMP groups + multicast routes: 144/1152 6/26
IPv4 unicast directly-connected routes: 784/6272 92/662
IPv4 unicast indirectly-connected routes: 272/2176 74/501
IPv4 policy based routing aces: 0/0 0/0
IPv4 qos aces: 528/528 18/18
IPv4 security aces: 1024/1024 107/107
Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization
The ACL BLOCK only has 500 entries. i tried to remove 1 entry, but no effect. Maybe it can solved with create a new ACL and make 501 entries. But how it can happend?
04-25-2014 02:32 AM
please can someone advise what is the cause of this issue and how it can be solved ?
04-25-2014 05:46 AM
Hi had to change the SDM prefer mode from routing to access
Access SDM mode allocate more resources for security aces
You can look at your SDM mode by entering "sh sdm prefer". You can change it by using the "sdm prefer [type]" command.
Hope that helps
04-25-2014 10:02 AM
could it be a bug ?
i have only 5 entries in the ACL
08-13-2018 06:02 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide