This is a topic that I'm seeing crop up in my work and I'd like to understand it better.
I'm starting with these two links: http://www.enterprisenetworkingplanet.com/netsysm/article.php/3527301/On-Your-Network-What-the-Heck-is-a-TCAM.htm
http://etherealmind.com/tcam-detail-review/
In the second link, in the Cisco Implementation section, I hit on the root of the reason why I see TCAM exhaustion. In NAC, we can apply an ACL to an endpoint or a switchport to restrict host traffic. Those ACLs go into the TCAM. If we have enough ACLs, we can exhaust the TCAM resources. So, the question comes back to me as to how best to assign those ACLs to conserve TCAM space.
I suppose if I learned best practices for ACL management, I'd be able to translate those to how my product implements that feature. Sooooooo... Suggestions?
on the larger Cisco work horses, e.g 6500 and 7600, one can adjust Ternary Content Addressable Memory allocations.
based on IPv4 vs. IPv6 routes in TCAM. lowering the maximum IPv6 routes, you can raise the maximum of IPv4 routes,
and verse visa.
Ref: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html
and for the Nexud 9K's, Nexud 7K's should be similar
REF: https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/119032-nexus9k-tcam-00.html
Great links, Ristau. So it looks like the section for ACL is adjustable on a Nexus, but it seems the Catalyst readjustment was just for IPv4/v6 address spaces. Or was that just because of the subject of the article, and that there are commands to tune them for ACLs?
Quote from: deanwebb on February 23, 2018, 07:33:03 AM
Great links, Ristau. So it looks like the section for ACL is adjustable on a Nexus, but it seems the Catalyst readjustment was just for IPv4/v6 address spaces. Or was that just because of the subject of the article, and that there are commands to tune them for ACLs?
not sure, when were were migrating DOJ to IPv6. We had to make adjustments to TCAM to provide room for IPV6 in routing tables, and reboot. That's my life experience.
Uncle Google says it's possible
https://supportforums.cisco.com/t5/network-infrastructure-documents/acl-tcam-and-lous-in-catalyst-6500/ta-p/3115339
but the above article is more about optimizing your ACL's to conserve TCAM space than allocation of additional space.
Quote from: ristau5741 on February 23, 2018, 08:45:07 AM
Quote from: deanwebb on February 23, 2018, 07:33:03 AM
Great links, Ristau. So it looks like the section for ACL is adjustable on a Nexus, but it seems the Catalyst readjustment was just for IPv4/v6 address spaces. Or was that just because of the subject of the article, and that there are commands to tune them for ACLs?
not sure, when were were migrating DOJ to IPv6. We had to make adjustments to TCAM to provide room for IPV6 in routing tables, and reboot. That's my life experience.
Uncle Google says it's possible
https://supportforums.cisco.com/t5/network-infrastructure-documents/acl-tcam-and-lous-in-catalyst-6500/ta-p/3115339
but the above article is more about optimizing your ACL's to conserve TCAM space than allocation of additional space.
That is EXACTLY pertinent to my interests. :thankyou:
I think the SDM templates are what you're looking for, depending on the Catalyst model...
Quote from: SimonV on February 23, 2018, 11:08:12 AM
I think the SDM templates are what you're looking for, depending on the Catalyst model...
"What's an SDM template?" asked the security guy.
Quote from: deanwebb on February 23, 2018, 03:19:20 PM
Quote from: SimonV on February 23, 2018, 11:08:12 AM
I think the SDM templates are what you're looking for, depending on the Catalyst model...
"What's an SDM template?" asked the security guy.
SDM template are pre-configured device settings you can apply to a switch, for use in different scenarios
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swsdm.html
yeah basically carving out the TCAM space to divvy up amongst various tables - ipv4 vs ipv6 routes, ACLs, MAC addresses etc.
So you can 're-spec' to a limited extent and prioritise say L2 / first-hop capacity, or transit routing capacity, etc.
Legendary limit: 1500 ipv4 routes in dual-stack standard C3750X template, the number of times I've seen people hit this without realising LOL