cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3922
Views
15
Helpful
10
Replies

Why! More than 5000 entries can not be added to the ACL

netadmincsm
Level 1
Level 1

Hi All

I receive a strange message from our 3750 switches.

I'm running a couple of ACL.  One of them called by around 6 Vlan interfaces give me trouble.

Today I deleted one entry of the ACL to replace it by another and I received this message :

More than 5000 entries can not be added to the ACL ACLName

My ACL have 40 lines. (not more than 5000 )

I look around on google, cisco site, expert exchange but I cannot find anything about that.

Anyone have an idea ?

Thank you veru much

NOTE :

- IOS version : c3750-ipservicesk9-mz.122-50.SE5

- Switch model : WS-C3750G-24

- I recently switch the SDM prefer to routing instead of default to be able to do IPv4 policy-based routing

10 Replies 10

paul
Level 1
Level 1

This could be TCAM exhaustion.  Different ACL structures (like > or <) take up more resources in the TCAM and if you use them a lot it can add up.

You can verify the current state like this:

show tcam [inacl|outacl] [tcam #] statistics

Or if you're on newer 3750 code:

show platform tcam utilization

Why don't you share your 40 line ACL with us and maybe we can determine what is happening?

Here's my sh tcam utilization :

famcoloswL3#sh platform tcam utilization

CAM Utilization for ASIC# 0                      Max            Used

                                             Masks/Values    Masks/values

Unicast mac addresses:                        400/3200         33/185  

IPv4 IGMP groups + multicast routes:          144/1152          6/26   

IPv4 unicast directly-connected routes:       400/3200         33/185  

IPv4 unicast indirectly-connected routes:    1040/8320        131/970  

IPv4 policy based routing aces:               384/512           8/20   

IPv4 qos aces:                                768/768         324/324  

IPv4 security aces:                          1024/1024        929/929  

Note: Allocation of TCAM entries per feature uses

a complex algorithm. The above information is meant

to provide an abstract view of the current TCAM utilization

Are you seeing something special in this ?

boss.silva
Level 1
Level 1

Hello,

I would recommend you to open a TAC with Cisco. Doesn't sound like something normal, even though i was not able to find any bugs for this version. Might be something they didn't catch yet.

Anyway, have you tried re-creating the ACL from scratch? Something unexplainable might be fixed by something unexplainable .

Regards,

Bruno Silva.

Hello,

we have seen similar issues in the past where it got resolved when we removed the ACL  completely and re-configured it back again. we were not able to reproduce this problem in LAB. This is one of those corner case.

If you still face the problem after the above workaround go ahead and open a TAC case.

Thanks,

Ricky Micky

Amit Aneja
Level 3
Level 3

I went through the database to see if this is a known bug and found that there are several similar issues

but all of them have no root cause because the symptom couldn't be

reproduced, but the following workarounds were applicable.

1-      Remove the ACL , reconfigure it and apply it again.

2-      Create another ACL with another number apply it.

3-      Reload (didn't work all the time).

Regards,

Amit

i am experianced this issue. I can not add a new entry in one ACL, let say access-list BLOCK. But i can add another entry in another ACL.

Here is TCAM output.

Checking the platform and here is the output:

sh platform tcam utilization

CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values

Unicast mac addresses: 784/6272 92/662
IPv4 IGMP groups + multicast routes: 144/1152 6/26
IPv4 unicast directly-connected routes: 784/6272 92/662
IPv4 unicast indirectly-connected routes: 272/2176 74/501
IPv4 policy based routing aces: 0/0 0/0
IPv4 qos aces: 528/528 18/18
IPv4 security aces: 1024/1024 107/107

Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization

The ACL BLOCK only has 500 entries. i tried to remove 1 entry, but no effect. Maybe it can solved with create a new ACL and make 501 entries. But how it can happend?

joseph hatem
Level 1
Level 1

please can someone advise what is the cause of this issue and how it can be solved ?

 

 

Hi had to change the SDM prefer mode from routing to access

Access SDM mode allocate more resources for security aces

You can look at your SDM mode by entering "sh sdm prefer".  You can change it by using the "sdm prefer [type]" command.

Hope that helps

joseph hatem
Level 1
Level 1

could it be a bug ?

i have only 5 entries in the ACL

Hi, Have you resolved the issue? Thesedays. i have a similar issue about this,the device 3850 have a acl,if you add ace to the acl,there is no problem,but if you remove a ace from the acl,the traffic will be interrupt,about six or seven seconds.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
Review Cisco Networking for a $25 gift card