topic Re: Catalst 9300 stack: dACL TCAM utilization in Network Access Control

Catalst 9300 stack: dACL TCAM utilization

Johannes Luther — Mon, 02 Mar 2020 14:46:22 GMT

Hi board,

not sure if this question is better suited in the switching forum. Let's give it a try here.

So, the Catalyst 9300 has the following TCAM limits for ACE's

Switch#$ show platform hardware fed switch active fwd-asic resource tcam utilization
CAM Utilization for ASIC  [0]
 Table                                              Max Values        Used Values
 --------------------------------------------------------------------------------
[...]
 Security Access Control Entries                      5120            126

Are the limits (5120 ACE entries) for the whole stack? For example, if I'm having a single 48 Port 9300 switch, then ~100 ACEs per port are possible. If I'm having a stack with two 48 port members, do I have ~50 ACEs per port or is the number of stack members irrelevant for the maximum number of dACL ACEs?

Re: Catalst 9300 stack: dACL TCAM utilization

balaji.bandi — Mon, 02 Mar 2020 17:30:10 GMT

5000 of security TCAM Access Control List (ACL) capacity

5120 per stack - not per device.

Re: Catalst 9300 stack: dACL TCAM utilization

Johannes Luther — Tue, 03 Mar 2020 13:48:00 GMT

Hey BB,

thanks for the answer - this is what I also thought, but I found this:

"Each switch in the stack optimizes data plane performance by utilizing its local hardware resources. This includes forwarding tasksand network services such as QoS and ACL"

Source: https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-9000/nb-06-cat9k-ebook-cte-en.pdf

Hmmmm ... maybe I need to open a TAC case for this.

The documentation is very unclear.

Re: Catalst 9300 stack: dACL TCAM utilization

balaji.bandi — Tue, 03 Mar 2020 14:16:53 GMT

Agreed some time cisco documentation not update, because vast grown products, sure you can have a chat with TAC if you like to.

Re: Catalst 9300 stack: dACL TCAM utilization

Johannes Luther — Fri, 06 Mar 2020 10:59:06 GMT

So I opened a TAC case now and got feedback. Obviously our inital thought were not correct. The book is correct.

Each c9300 stack member uses it's own TCAM resources for the ACLs on the local ports (I didn't double check this in the lab, yet).

The correct command to verify this is:

show platform hardware fed switch {1|2|3|...} active fwd-asic resource tcam utilization

==> Add the switch number to the output ... God - I feel so stupid right now....

Re: Catalst 9300 stack: dACL TCAM utilization

Johannes Luther — Thu, 02 Jul 2020 08:44:33 GMT

A little side node:

The configuration guide says:

The limit for dACL with stacking is 64 ACEs per dACL per port. The limit without stacking is the number of available TCAM entries which varies based on the other ACL features that are active.

Link to config guide

So independent of the actual TCAM utilization the absolute upper limit is 64 ACEs per port.

Re: Catalst 9300 stack: dACL TCAM utilization

pablohernandez — Mon, 17 Jun 2024 17:17:32 GMT

Hi, I know this post has been inactive por a while, but I have a question regarding the ACEs supported per port and per device/stack... even if the dACL is the same for multiple ports (considering the users are using the same author policy), are the TCAM resources consumed per each ACE on the dACL? or there is some optimization on the resource consumption? Thanks!