cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5355
Views
15
Helpful
5
Replies

Catalst 9300 stack: dACL TCAM utilization

Johannes Luther
Level 4
Level 4

Hi board,

not sure if this question is better suited in the switching forum. Let's give it a try here.

So, the Catalyst 9300 has the following TCAM limits for ACE's

Switch#$ show platform hardware fed switch active fwd-asic resource tcam utilization
CAM Utilization for ASIC  [0]
 Table                                              Max Values        Used Values
 --------------------------------------------------------------------------------
[...]
 Security Access Control Entries                      5120            126

Are the limits (5120 ACE entries) for the whole stack? For example, if I'm having a single 48 Port 9300 switch, then ~100 ACEs per port are possible. If I'm having a stack with two 48 port members, do I have ~50 ACEs per port or is the number of stack members irrelevant for the maximum number of dACL ACEs?

1 Accepted Solution

Accepted Solutions

So I opened a TAC case now and got feedback. Obviously our inital thought were not correct. The book is correct.

Each c9300 stack member uses it's own TCAM resources for the ACLs on the local ports (I didn't double check this in the lab, yet).

The correct command to verify this is:

show platform hardware fed switch {1|2|3|...} active fwd-asic resource tcam utilization

==> Add the switch number to the output ... God - I feel so stupid right now....

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

5000 of security TCAM Access Control List (ACL) capacity

 

5120 per stack - not per device.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hey BB,

thanks for the answer - this is what I also thought, but I found this:

"Each switch in the stack optimizes data plane performance by utilizing its local hardware resources. This includes forwarding tasksand network services such as QoS and ACL"

Source: https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-9000/nb-06-cat9k-ebook-cte-en.pdf

 

Hmmmm ... maybe I need to open a TAC case for this.

The documentation is very unclear.

Agreed some time cisco documentation not update, because vast grown products, sure you can have a chat with TAC if you like to.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

So I opened a TAC case now and got feedback. Obviously our inital thought were not correct. The book is correct.

Each c9300 stack member uses it's own TCAM resources for the ACLs on the local ports (I didn't double check this in the lab, yet).

The correct command to verify this is:

show platform hardware fed switch {1|2|3|...} active fwd-asic resource tcam utilization

==> Add the switch number to the output ... God - I feel so stupid right now....

A little side node:

The configuration guide says:

The limit for dACL with stacking is 64 ACEs per dACL per port. The limit without stacking is the number of available TCAM entries which varies based on the other ACL features that are active.

Link to config guide 

 

So independent of the actual TCAM utilization the absolute upper limit is 64 ACEs per port.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: