07-17-2024 08:06 AM - edited 07-17-2024 08:08 AM
Hello,
I will be migrating a customer from 2xCat6500 in VSS to 2xCat9500 HP in SWV.
I've been looking a the ACL TCAM consumption thanks to that document :
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/217266-validate-security-acls-on-catalyst-9000.html
From TCAM resource calculation of that document, my conclusion is that I will need to modify the default SDM template to allow for more IPV4 ingress ACL.
At the bottom of that document there is an "ACL scalability" table, which seems to state that scalability (i.e. maximum)
ipV4 ACL entries for a catalyst 9500 HP is 12000 for ingress ACL
(it remains to be confirmed because the table is unclear refering to C9500 HP in a column named "Cisco catalyst 9300" (?) )
IOS 17.9 is recommended for C9500 so I checked the document :
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-9/configuration_guide/sys_mgmt/b_179_sys_mgmt_9500_cg/configuring_sdm_templates.html
which states in Table 4 :
"Table 4. Scale values and Default values for ACL features on the Cisco Catalyst 9500 Series Switches - High Performance"
That Ingress ACL can have a maximum of 26624
My question is simple, since the 2 documents have different figures for the same maximum, which one is right ?
Solved! Go to Solution.
07-17-2024 08:37 AM
Hi,
The below link is an updated version from July 2022. It appears that using a custom SDM template, the ACL number can be increased to 52K. You can also validate this with your Cisco SE or sales rep to ensure the numbers are correct.
The total number of system resources assigned to a Customizable SDM Template is 416K for FIB features and 52K for ACL features. If the total number of all the resources specified exceeds 416K for FIB features or 52K for ACL features, the system starts to lower the number of allotted resources starting with the feature assigned the highest number. A higher priority value or number assigned to a feature indicates a lower priority.
HTH
07-17-2024 08:37 AM
Hi,
The below link is an updated version from July 2022. It appears that using a custom SDM template, the ACL number can be increased to 52K. You can also validate this with your Cisco SE or sales rep to ensure the numbers are correct.
The total number of system resources assigned to a Customizable SDM Template is 416K for FIB features and 52K for ACL features. If the total number of all the resources specified exceeds 416K for FIB features or 52K for ACL features, the system starts to lower the number of allotted resources starting with the feature assigned the highest number. A higher priority value or number assigned to a feature indicates a lower priority.
HTH
07-17-2024 08:41 AM
OK the document you mention is the second I linked so it's the right one, thanks
07-17-2024 08:55 AM
That is correct. Also, it is not uncommon to see discrepancies in Cisco's documentation. So, you may want to check with your Cisco rep to confirm the numbers.
Good luck!
07-18-2024 01:24 AM
OK Thanks.
At the beginning I searched for a new version of document 1) but I did not find any.
I was surprised it was giving absolute limitations (in a akward way by the way) without referring to
any other version bound document.
That's why I wanted the conflict between those 2 documentation to be settled because going from 12000 to 26000 is a big change and for me it means going from impossible to possible.
Thanks for your quick reply
07-18-2024 03:09 AM
Whatever doc list about tcam size it not so help ypu if tcam room of ipv4 acl is full
You need to move some room from other feature to ipv4 acl
For example 90% of engineer not use ipv6 so move all room for ipv6 to ipv4 acl.
In simple words you can change room but ypu can not change total size of tcam
MHM
07-18-2024 10:03 AM - edited 07-18-2024 10:03 AM
"90% of engineer not use ipv6 so move all room for ipv6 to ipv4 acl"
it seems a good idea but reading the software configuration guide :
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-9/configuration_guide/sys_mgmt/b_179_sys_mgmt_9500_cg/configuring_sdm_templates.html
Does not show it is possible, because in the paragraph :
"Configuring a Customizable SDM Template for ACL Features"
the example provided in step 4 shows the command :
"Example:
Device(config-sdm-acl)#acl-ingress 26 priority 1"
which does not distinguish between IPV4 traffic and non-IPv4 Access Control Entries.
and I suppose that should the command existed for ipv4 traffic as well as for non-ipV4 traffic
a Cisco Software configuration guide would mention it, isn't it ?
otherwise where else ?
I know there is also a command reference but a software configuration guide is supposed to help you
through the configuration, and contain what is possible, no ?
As a result I have the question is it at all possible to remove a big bunch of TCAM entries for IPv6 ingress ACL,
while boosting TCAM entries for IPV4 ingress ACL ?
07-18-2024 10:05 AM
sorry this feature only in NSK not in cat9K it called carving.
MHM
07-18-2024 11:56 AM
OK it means the relation between :
Security Ingress IPv4 Access Control Entries*: 7168 (current) - 7168 (proposed)
Security Ingress Non-IPv4 Access Control Entries*: 5120 (current) - 5120 (proposed)
can not be changed, supposing that relation is linear by setting :
acl-ingress 26 priority 1
it means having 26624 ingress ACL entries for both and assuming the ration between IPv4 and non IPv4 is maintained
it would give as maximum entries for :
Security Ingress IPv4 Access Control Entries*: 15530
because the software configuration guide Table 4 state this is a maximum.
Can any body confirm my understanding + assumption of linearity ?
07-18-2024 02:08 PM
Please answer my question :
Can any body confirm my understanding + assumption of linearity ?
If it is so I have an issue, the current level of ACL in the C6500 I have to migrate to the C9500 as calculated according to :
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/217266-validate-security-acls-on-catalyst-9000.html#toc-hId--1633804632
it holds in within that limit of 15530.
But according to that link the current ACL in the C6500 would consume on top of TCAM entries L4OPs and VCUs, and a lot of them more than the limit of 8 L4OP par ACL and more than the 192 ingress VCU for the whole chassis.
The links just above states that, in that case :
"VCU Exhaustion
My question is now where from in the TCAM are taken those new ACE entries, when L4OP and VCU are above their limit ?
Are they taken from Security Ingress IPv4 Access Control Entries or are they taken from other parts of the TCAM ?
07-18-2024 03:35 AM
Thanks for the advice.
I am perfectly aware that changing the SDM template does not create hardware but does only redispatch it
07-18-2024 03:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide