Cisco Support Community

The deletion of an ACL that is still bound to a VLAN interface results in high CPU utilzation.

Core issue

The Ternary Content Addressable Memory (TCAM) is used to forward lookups. TCAM is a specialized piece of memory designed for rapid table lookups by the Access Control List (ACL) engine on the switches. The ACL engine performs ACL lookups based on packets that pass through the switch.

The result of the ACL engine lookup into the TCAM determines how the switch handles a packet. The switch can either permit or deny a packet. The TCAM has a limited number of entries that are populated with mask values and pattern values. There is one mask for eight entries in the TCAM.


The ACL feature manager produces the set of Values, Masks, and Results (VMRs) that are installed in the TCAM. In some cases, the ACLs configured are subjected to the ACL merge algorithm during the configuration process. Refer to the ACL Merge Algorithms section of Understanding ACL on Catalyst 6500 Series Switches for more information.

For a given VLAN in a given direction (input or output), a lookup in the TCAM produces one or more results based on the longest-match hit. Therefore, the entries in the TCAM must either be arranged in a specific order, or must be represented in an order-independent manner.