Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL entires capability?

Hi All,

I set up many MAC access-list entires on my Catalyst 3560 (Version 12.2(25)SEB4) to prevent unauthorized computers/devices from accessing network.

mac access-list extended PermittedHost

permit host 0025.6498.65d9 any

permit host f04d.a22d.53ca any

permit host f04d.a22d.54b7 any

permit host f04d.a229.e173 any

permit host b8ac.6f42.cd1a any

permit host 0011.111c.d43c any

permit host 0011.118d.98ac any

permit host 0011.115f.89b7 any

permit host 0013.2080.6779 any

permit host 000d.8846.e468 any

permit host 00c0.02fd.3047 any




interface range FastEthernet 0/2 - 24    // FastEthernet 0/1 is the uplink port

mac access-group PermittedHost in

There have been more than 700 MAC access-list entries in my extended access-list "PermittedHost". I'm worried about the capability of the max access-list entires.


Jun Gao

New Member

ACL entires capability?

Can't find info of particular number, but suspect that ACL can contain around mac-address-table size.

So it could be up to 12,000 MAC addresses.

You can generate long list and try in a lab :-)

New Member

ACL entires capability?

Hi v_paranoid, thanks for you reply. So it means I will not be necessary to care the ACL enties capability at all. That's good. BTW, are you from US? It's midnight in US now. Are you still working? :-)

Jun Gao

New Member

ACL entires capability?

We used to have ACL with around 3000 lines with no problem.

I'm in Russia.

We have though strange problem with long ACL on 6500, while using it for UBRL.

It looked like it once compiled incorrectly and "implicit deny" was somewhere in the middle :-)

Was fixed by reapplying this same ACL.