Re: Issue with ip access-list extended rules

Fanch · ‎21-10-2024

I have a catalyst 9500 and I recently cleaned up the ACLs (ip access-list extended applied to interface). I just removed some entries which were useless. Then some unchanged rules did not applied anymore. I don't have any idea of what happen.

The thing is that if I recreate these rules above (i.e. upper in the list of rules) they are taken into account.

Could it be due to a maximum number of entries reached and if so why was it working with more entries before I cleaned up the list?

Any help would be appreciate.

balaji.bandi · ‎21-10-2024

what was the error, what IOS XE code running.

check the limit here :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-9/configuration_guide/sec/b_179_sec_9500_cg/configuring_ipv4_acls.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Maren Mahoney · ‎21-10-2024

Can you provide the original ACL list and then the list after the entries were removed? (Along with an example of something that 'did no apply anymore' after the removal)? It's hard to determine the underlying issue without more concrete information.

As for ACL rule length, the practical ACL limit is not the number of entries but rather the CPU and memory on the system. I know that ASAs don't have an actual limit on the number of entries you can have, and if there is one on the 9500 it would be in the thousands for an extended ACL.(Standard ACLs do have a limit, but I don't remember what it is off the top of my head.)

Maren

Issue with ip access-list extended rules

Liens rapides