04-27-2015 09:25 AM - edited 03-07-2019 11:45 PM
Hi,
I have two Nexus5548 with system version 5.1(3)N2(1a) that I'm having trouble with.
There are one acl I try to apply, and it keeps failing with: (it's rather big so I cant paste it in this public discussion )
%ACLMGR-3-ACLMGR_VERIFY_FAIL: Verify failed: client 40000290, tcam region full %AFM-3-AFM_VERIFY_FAIL: Access control policy modification on vlan 123 failed
And I can see that it is really long, but it's shorter than a few other acl's?
# sh access-lists summary [snip] IPV4 ACL vlan124-out Total ACEs Configured:286 [snip] IPV4 ACL vlan123-out Total ACEs Configured:274 [snip]
I've read the http://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/white_paper_c11-682225.html
But I can't really get my head around how I can see how I can see how different acl's with less ACEs takes upp "more tcam space"?
The core problem is the long acl's but that is something that we are looking at in the log run.
In Nx7000 there is "show hardware capacity | begin ACL" to get some good info about this. But I haven’t found anything like this on the Nx5k platform
I'm sorta stuck how to continue troubleshooting this, any tips?
--
Regards Falk
04-30-2015 06:44 AM
Hi,
I'll answer this myself after some digging in the docs :)
It wasn't that acl itself, it was the TOTAL TCAM space for that region that was full.
Like the log said, "tcam region full".
The collective eracl size was 2048 and we used ~2k of that.
So when we tried to apply another it just didn't fit.. :)
This can be found out by:
egress router acl.
#sh platform afm info tcam 8 region eracl eracl tcam TCAM configuration for asic id 5: [eracl tcam]: range 0 - 2047 * [ifacl tcam]: range 2048 - 2111 [ qos tcam]: range 2112 - 2175 [iracl tcam]: range 2176 - 3839 [ span tcam]: range 3840 - 3903 [ sup tcam]: range 3904 - 3967 TCAM [eracl tcam]: [v:1, size:2048, start:0 end:2047] In use tcam entries: 2047 0-9,15-2047
ingress router acl
# sh platform afm info tcam 8 region iracl iracl tcam TCAM configuration for asic id 5: [eracl tcam]: range 0 - 2047 [ifacl tcam]: range 2048 - 2111 [ qos tcam]: range 2112 - 2175 [iracl tcam]: range 2176 - 3839 * [ span tcam]: range 3840 - 3903 [ sup tcam]: range 3904 - 3967 TCAM [iracl tcam]: [v:1, size:1664, start:2176 end:3839] In use tcam entries: 843 2176-2177,2999-3839
Every ACE (Access Control Entry (one line of an Access Control List)) is 1 entry in a TCAM region from what I understand.
So our next challange is to rethink our ACL's and/or checkout more information about TCAM carving.
--
Regards Falk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide