cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
548
Views
0
Helpful
2
Replies

c3550: InAcl TCAM exhaustion (SVI/VLAN Aggregation)

acennami
Level 1
Level 1

Ok, I'll preface this by telling everybody that I _know_ how poor a configuration this is, and this is why I've been brought on; to redesign the network and make the transition as smooth as possible.

Network currently consists of flat vlan (Vlan1) with 1200 webhosting servers; each with 5-256 IP's. All IP's are bound to Vlan1 on a Hybrid 6506/MSFC, hosts are connected through 2900-5505's.

I am looking to take multiple c3550 (or other, upon suggestion) and segment the network into 3-4 sections. Every server port will belong to a VLAN, aggregate via dot1q to the 3550, and then route to the core layer3 w/ no trunking.

The issue which has come up is this. On an existing 3550 I have a number of SVI's with /29+ IP's bound, as well as a Vlan1 with a number of (30ish) /29+ allocations. This was done in the hopes of moving the Vlan1 /29's to the dedicated SVI once their home switch is trunked and assigned VLANs.

After hitting approx 30 VLSM secondary IP's on Vlan1, I am exhausting the InAcl TCAM Mask resources (currently 208); as soon as this happens the switch is nailed at 90-99% CPU and begins dropping packets.

Below is my current tcam stat:

dnow-vlan-agg-001#sh tcam inacl 1 stat

Ingress ACL TCAM#1: Number of active labels: 36

Ingress ACL TCAM#1: Number of masks allocated: 199, available: 9

Ingress ACL TCAM#1: Number of entries allocated: 823, available: 841

There are no custom ACL's on the switch, just standard SVI's, FE dot1q trunks and TACACS.

I have tried sdm prefer routing to no avail (this actually left me with fewer mask resources)

Also, the end goal here is to have approximately 500 servers per 3550, trunked via the 5500's (~500 SVI's per 3550)

Can anybody provide recommendations or warnings on the broken configuration or planned configuration; from what's happening now I'm thinking that it's not going to work.

I noticed in some tech-docs that the 3550T's appear to have a higher mask resource limitation, so that may be a way to go. Really hitting a wall here and would appreciate any suggestions.

Thanks,

Anthony

2 Replies 2

sirpa_k
Level 1
Level 1

Any update on this?

The only replies I've had were from a CCIE, asking me to forward any useful information I got from my posts to him, and from a peer in the industry who basically said the 3550's will die after approximately 350 VLANS, when using them to aggregate SVIs.

Not terribly encouraging, but I'm looking towards an older model 6500 to hopefull accomodate my needs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco