03-19-2024 06:38 AM
Hi Folks,
We have four leafs in our environment that are running close to 90% TCAM utilization. I am kinda lost on what is causing this and how to troubleshoot it. The only difference that i can see, from the capacity dashboard, when comparing these leafs with the other leafs, is that these leafs have alot more virtual machines/Hypervisors connected to them. But does that fully explain the issue? Please see picture attached.
I was wondering if you guys could help me out troubleshooting this issue.
Thanks.
03-19-2024 07:14 AM
Looks like your Policies (Contracts) are consuming most of the TCAM. There may be ways you can optimize your security policies - vzAny, Preferred Groups etc. Can you explain what your contract design looks like?
Also, what is your Leaf Forward Scale Profile configured as?
Operations > Capacity Dashboard > Leaf Capacity > Configure Profile (below the Leaf in question)
The "High Policy" profile would maximize TCAM space for security policies. Keep in mind you need to reboot a switch to apply a different tile profile. Should be done during a maintenance window.
Robert
03-20-2024 07:18 AM
Hi Robert,
The Forward Scale Profile is set to 'Dual Stack'. Most of our contracts are build very specific, so SRC > DST > Port. We dont work with preferred groups, have some vzAny policies in place tho.
Can you please explain to me why these four leafs are being effected by the number of contracts while the rest of the leaf fabric isnt? I know that policies are pushed to leafs on use basis, so does this mean that these four leafs have alot of EPGs configured on them or perhaps alot of contracts within specific EPGs? Is there a way for me to find out witch ones?
Thanks alot!
03-20-2024 10:56 AM
Filter rules are pushed where they are required, so this could vary depending where EPGs are deployeed (on which Leafs). you can use the Capacity dashboard to see the levels of Policy Cam on a per-switch basis. Note, that different models of switch may have different supported scale support. So there are fabric-level scale limitations, as well as platform (Leaf) specific platform scalability that comes into play. That's the purpose of the Capacity dashboard - to help you monitor/manage this.
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide