If you're running an nx-os switch with 200 VLANs and using it as an L3 router, how would you go about dealing with TCAM limitations in regards to ACLs? Each VLAN is setup with HSRP and requires an ACL to only permit routing and ICMP traffic to the gateway IP.
The limit for the number of ACLs on an nx-os switch is 62. You could essentially do several large ACLs that could be placed on each VLAN, but then you start getting "Tcam resource exhausted" because the number of ACEs is exhausting the TCAM. Is there a way around this without resorting to external hardware?
This is the security requirement - "The Cisco switch must be configured to restrict traffic destined to itself"
It specifically requires ACLs blocking non management and non control plane traffic to any IP on the switch, even from internal networks.
No comments:
Post a Comment