Guest

Preview Tool

Cisco Bug: CSCvs74735 - Large scale ACL with range L4 operators is dropping permitted packets

Last Modified

Sep 01, 2020

Products (1)

  • Cisco Catalyst 9500 Series Switches

Known Affected Releases

16.12.2 16.6.7 16.9.4 17.1.1

Description (partial)

Symptom:
Once applying large scale ACLs with 100+ "range" L4 oparators, device is dropping permitted packets.

Example:

<ACLs with huge amount of ACEs (more than 100 in total) with L4 "range" operators>

ip access-list extended Some-Big-Extended_ACL
 permit tcp host 192.168.1.1 range 1099 1100 172.20.0.0 0.0.255.255 established <<<<<<< is dropping traffic
 permit tcp host 192.168.1.1 range 3402 3403 172.20.0.0 0.0.255.255 established

Not every entry is failing after reaching the threshold.

Conditions:
1. 100+ ACEs with L4 "range" operator in running configuration.
2. Day 1 issue, all current releases are affected.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.