Cisco Bug: CSCvs74735 - Large scale ACL with range L4 operators is dropping permitted packets
Sep 01, 2020
- Cisco Catalyst 9500 Series Switches
Known Affected Releases
16.12.2 16.6.7 16.9.4 17.1.1
Symptom: Once applying large scale ACLs with 100+ "range" L4 oparators, device is dropping permitted packets. Example: <ACLs with huge amount of ACEs (more than 100 in total) with L4 "range" operators> ip access-list extended Some-Big-Extended_ACL permit tcp host 192.168.1.1 range 1099 1100 172.20.0.0 0.0.255.255 established <<<<<<< is dropping traffic permit tcp host 192.168.1.1 range 3402 3403 172.20.0.0 0.0.255.255 established Not every entry is failing after reaching the threshold. Conditions: 1. 100+ ACEs with L4 "range" operator in running configuration. 2. Day 1 issue, all current releases are affected.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases