TCAM Exhaustion

Started by deanwebb, February 23, 2018, 06:26:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

February 23, 2018, 06:26:05 AM
This is a topic that I'm seeing crop up in my work and I'd like to understand it better.

I'm starting with these two links: http://www.enterprisenetworkingplanet.com/netsysm/article.php/3527301/On-Your-Network-What-the-Heck-is-a-TCAM.htm

http://etherealmind.com/tcam-detail-review/

In the second link, in the Cisco Implementation section, I hit on the root of the reason why I see TCAM exhaustion. In NAC, we can apply an ACL to an endpoint or a switchport to restrict host traffic. Those ACLs go into the TCAM. If we have enough ACLs, we can exhaust the TCAM resources. So, the question comes back to me as to how best to assign those ACLs to conserve TCAM space.

I suppose if I learned best practices for ACL management, I'd be able to translate those to how my product implements that feature. Sooooooo... Suggestions?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#1
February 23, 2018, 06:45:52 AM
on the larger Cisco work horses, e.g 6500 and 7600, one can adjust Ternary Content Addressable Memory allocations.
based on IPv4 vs. IPv6 routes in TCAM.  lowering the maximum IPv6 routes, you can raise the maximum of IPv4 routes,
and verse visa.

Ref: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html

and for the Nexud 9K's, Nexud 7K's should be similar
REF: https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/119032-nexus9k-tcam-00.html
:professorcat:

My Moral Fibers have been cut.

deanwebb

#2
February 23, 2018, 07:33:03 AM
Great links, Ristau. So it looks like the section for ACL is adjustable on a Nexus, but it seems the Catalyst readjustment was just for IPv4/v6 address spaces. Or was that just because of the subject of the article, and that there are commands to tune them for ACLs?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#3
February 23, 2018, 08:45:07 AM
Quote from: deanwebb on February 23, 2018, 07:33:03 AM
Great links, Ristau. So it looks like the section for ACL is adjustable on a Nexus, but it seems the Catalyst readjustment was just for IPv4/v6 address spaces. Or was that just because of the subject of the article, and that there are commands to tune them for ACLs?

not sure, when were were migrating DOJ to IPv6. We had to make adjustments to TCAM to provide room for IPV6 in routing tables, and reboot.  That's my life experience.

Uncle Google says it's possible
https://supportforums.cisco.com/t5/network-infrastructure-documents/acl-tcam-and-lous-in-catalyst-6500/ta-p/3115339
but the above article is more about optimizing your ACL's to conserve TCAM space than allocation of additional space.
:professorcat:

My Moral Fibers have been cut.

deanwebb

#4
February 23, 2018, 10:19:35 AM
Quote from: ristau5741 on February 23, 2018, 08:45:07 AM
Quote from: deanwebb on February 23, 2018, 07:33:03 AM
Great links, Ristau. So it looks like the section for ACL is adjustable on a Nexus, but it seems the Catalyst readjustment was just for IPv4/v6 address spaces. Or was that just because of the subject of the article, and that there are commands to tune them for ACLs?

not sure, when were were migrating DOJ to IPv6. We had to make adjustments to TCAM to provide room for IPV6 in routing tables, and reboot.  That's my life experience.

Uncle Google says it's possible
https://supportforums.cisco.com/t5/network-infrastructure-documents/acl-tcam-and-lous-in-catalyst-6500/ta-p/3115339
but the above article is more about optimizing your ACL's to conserve TCAM space than allocation of additional space.

That is EXACTLY pertinent to my interests. :thankyou:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

#5
February 23, 2018, 11:08:12 AM
I think the SDM templates are what you're looking for, depending on the Catalyst model...

deanwebb

#6
February 23, 2018, 03:19:20 PM
Quote from: SimonV on February 23, 2018, 11:08:12 AM
I think the SDM templates are what you're looking for, depending on the Catalyst model...

"What's an SDM template?" asked the security guy.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#7
February 25, 2018, 06:08:26 AM
Quote from: deanwebb on February 23, 2018, 03:19:20 PM
Quote from: SimonV on February 23, 2018, 11:08:12 AM
I think the SDM templates are what you're looking for, depending on the Catalyst model...

"What's an SDM template?" asked the security guy.
SDM template are pre-configured device settings you can apply to a switch, for use in different scenarios

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swsdm.html
:professorcat:

My Moral Fibers have been cut.

wintermute000

#8
February 26, 2018, 03:12:16 AM
yeah basically carving out the TCAM space to divvy up amongst various tables - ipv4 vs ipv6 routes, ACLs, MAC addresses etc.

So you can 're-spec' to a limited extent and prioritise say L2 / first-hop capacity, or transit routing capacity, etc.

Legendary limit: 1500 ipv4 routes in dual-stack standard C3750X template, the number of times I've seen people hit this without realising LOL
Print
Go Up Pages1
User actions