cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

305
Views
5
Helpful
4
Replies
Highlighted
Enthusiast

Catalst 9300 stack: dACL TCAM utilization

Hi board,

not sure if this question is better suited in the switching forum. Let's give it a try here.

So, the Catalyst 9300 has the following TCAM limits for ACE's

Switch#$ show platform hardware fed switch active fwd-asic resource tcam utilization
CAM Utilization for ASIC  [0]
 Table                                              Max Values        Used Values
 --------------------------------------------------------------------------------
[...]
 Security Access Control Entries                      5120            126

Are the limits (5120 ACE entries) for the whole stack? For example, if I'm having a single 48 Port 9300 switch, then ~100 ACEs per port are possible. If I'm having a stack with two 48 port members, do I have ~50 ACEs per port or is the number of stack members irrelevant for the maximum number of dACL ACEs?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Re: Catalst 9300 stack: dACL TCAM utilization

So I opened a TAC case now and got feedback. Obviously our inital thought were not correct. The book is correct.

Each c9300 stack member uses it's own TCAM resources for the ACLs on the local ports (I didn't double check this in the lab, yet).

The correct command to verify this is:

show platform hardware fed switch {1|2|3|...} active fwd-asic resource tcam utilization

==> Add the switch number to the output ... God - I feel so stupid right now....

View solution in original post

4 REPLIES 4
Highlighted
VIP Mentor

Re: Catalst 9300 stack: dACL TCAM utilization

5000 of security TCAM Access Control List (ACL) capacity

 

5120 per stack - not per device.

BB
*** Rate All Helpful Responses ***
Highlighted
Enthusiast

Re: Catalst 9300 stack: dACL TCAM utilization

Hey BB,

thanks for the answer - this is what I also thought, but I found this:

"Each switch in the stack optimizes data plane performance by utilizing its local hardware resources. This includes forwarding tasksand network services such as QoS and ACL"

Source: https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-9000/nb-06-cat9k-ebook-cte-en.pdf

 

Hmmmm ... maybe I need to open a TAC case for this.

The documentation is very unclear.

Highlighted
VIP Mentor

Re: Catalst 9300 stack: dACL TCAM utilization

Agreed some time cisco documentation not update, because vast grown products, sure you can have a chat with TAC if you like to.

 

BB
*** Rate All Helpful Responses ***
Highlighted
Enthusiast

Re: Catalst 9300 stack: dACL TCAM utilization

So I opened a TAC case now and got feedback. Obviously our inital thought were not correct. The book is correct.

Each c9300 stack member uses it's own TCAM resources for the ACLs on the local ports (I didn't double check this in the lab, yet).

The correct command to verify this is:

show platform hardware fed switch {1|2|3|...} active fwd-asic resource tcam utilization

==> Add the switch number to the output ... God - I feel so stupid right now....

View solution in original post