Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAC ACL Performance

We're planning on using MAC ACL port security to disallow unauthorized access into the LAN. But what I can't seem to find anything on is, is there any appreciative performance loss in using this (Cisco 3750 switches)?

Also from what I can tell, this solution won't work well without enabling it at every end switch since uplink ports get confused and then disabled?



Re: MAC ACL Performance

The TCAM is a specialized piece of memory designed for rapid table lookups by the ACL engine on the Catalyst 3750 switches. The ACL engine performs ACL lookups based on packets passing through the switch. The result of the ACL engine lookup into the TCAM determines how the switch handles a packet. For example, the packet might be permitted or denied. The TCAM has a limited number of entries that are populated with mask values and pattern values.

The main issue users face when configuring ACLs on the Catalyst 3750 family switches are resource contention and exhaustion. Since the Catalyst 3750 switches enforces several types of ACLs in hardware rather than in software, the switch programs hardware lookup

tables and various hardware registers in the TCAM Subsystem, so that when a packet arrives, the switch can perform a hardware table lookup and perform the appropriate action.

The Catalyst 3750 uses a central TCAM subsystem that is shared between Layer 2 and Layer 3 forwarding entries, RACLs, VACLs and QoS ACLs.

There is no per port or no VLAN limit on the maximum number of ACLs on the Catalyst 3750.

The numbers are VMRs (or TCAM entries) generated by the ACL merge algorithm, rather than the original ACEs configured by the user.

Try these links:

also check this bug-id:CSCef02852