03-02-2020 06:46 AM
Hi board,
not sure if this question is better suited in the switching forum. Let's give it a try here.
So, the Catalyst 9300 has the following TCAM limits for ACE's
Switch#$ show platform hardware fed switch active fwd-asic resource tcam utilization CAM Utilization for ASIC [0] Table Max Values Used Values -------------------------------------------------------------------------------- [...] Security Access Control Entries 5120 126
Are the limits (5120 ACE entries) for the whole stack? For example, if I'm having a single 48 Port 9300 switch, then ~100 ACEs per port are possible. If I'm having a stack with two 48 port members, do I have ~50 ACEs per port or is the number of stack members irrelevant for the maximum number of dACL ACEs?
Solved! Go to Solution.
03-06-2020 02:54 AM - edited 03-06-2020 02:59 AM
So I opened a TAC case now and got feedback. Obviously our inital thought were not correct. The book is correct.
Each c9300 stack member uses it's own TCAM resources for the ACLs on the local ports (I didn't double check this in the lab, yet).
The correct command to verify this is:
show platform hardware fed switch {1|2|3|...} active fwd-asic resource tcam utilization
==> Add the switch number to the output ... God - I feel so stupid right now....
03-02-2020 09:30 AM
5000 of security TCAM Access Control List (ACL) capacity
5120 per stack - not per device.
03-03-2020 05:48 AM
Hey BB,
thanks for the answer - this is what I also thought, but I found this:
"Each switch in the stack optimizes data plane performance by utilizing its local hardware resources. This includes forwarding tasksand network services such as QoS and ACL"
Hmmmm ... maybe I need to open a TAC case for this.
The documentation is very unclear.
03-03-2020 06:16 AM
Agreed some time cisco documentation not update, because vast grown products, sure you can have a chat with TAC if you like to.
03-06-2020 02:54 AM - edited 03-06-2020 02:59 AM
So I opened a TAC case now and got feedback. Obviously our inital thought were not correct. The book is correct.
Each c9300 stack member uses it's own TCAM resources for the ACLs on the local ports (I didn't double check this in the lab, yet).
The correct command to verify this is:
show platform hardware fed switch {1|2|3|...} active fwd-asic resource tcam utilization
==> Add the switch number to the output ... God - I feel so stupid right now....
07-02-2020 01:44 AM
A little side node:
The configuration guide says:
The limit for dACL with stacking is 64 ACEs per dACL per port. The limit without stacking is the number of available TCAM entries which varies based on the other ACL features that are active.
So independent of the actual TCAM utilization the absolute upper limit is 64 ACEs per port.
06-17-2024 10:17 AM
Hi, I know this post has been inactive por a while, but I have a question regarding the ACEs supported per port and per device/stack... even if the dACL is the same for multiple ports (considering the users are using the same author policy), are the TCAM resources consumed per each ACE on the dACL? or there is some optimization on the resource consumption? Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide