ACL entires capability?

jun.gao · ‎03-15-2012

Hi All,

I set up many MAC access-list entires on my Catalyst 3560 (Version 12.2(25)SEB4) to prevent unauthorized computers/devices from accessing network.

mac access-list extended PermittedHost

permit host 0025.6498.65d9 any

permit host f04d.a22d.53ca any

permit host f04d.a22d.54b7 any

permit host f04d.a229.e173 any

permit host b8ac.6f42.cd1a any

permit host 0011.111c.d43c any

permit host 0011.118d.98ac any

permit host 0011.115f.89b7 any

permit host 0013.2080.6779 any

permit host 000d.8846.e468 any

permit host 00c0.02fd.3047 any

......

interface range FastEthernet 0/2 - 24 // FastEthernet 0/1 is the uplink port

mac access-group PermittedHost in

There have been more than 700 MAC access-list entries in my extended access-list "PermittedHost". I'm worried about the capability of the max access-list entires.

Thanks,

Jun Gao

v_paranoid · ‎03-20-2012

Can't find info of particular number, but suspect that ACL can contain around mac-address-table size.

So it could be up to 12,000 MAC addresses.

You can generate long list and try in a lab :-)

jun.gao · ‎03-20-2012

Hi v_paranoid, thanks for you reply. So it means I will not be necessary to care the ACL enties capability at all. That's good. BTW, are you from US? It's midnight in US now. Are you still working? :-)

Jun Gao

v_paranoid · ‎03-20-2012

We used to have ACL with around 3000 lines with no problem.

I'm in Russia.

We have though strange problem with long ACL on 6500, while using it for UBRL.

It looked like it once compiled incorrectly and "implicit deny" was somewhere in the middle :-)

Was fixed by reapplying this same ACL.