Solved: C9500 HP max. TCAM for ingress IPv4 ACL,2 docs differ which is right ?

thibaultm · ‎07-17-2024

Hello,
I will be migrating a customer from 2xCat6500 in VSS to 2xCat9500 HP in SWV.
I've been looking a the ACL TCAM consumption thanks to that document :
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/217266-validate-security-acls-on-catalyst-9000.html

From TCAM resource calculation of that document, my conclusion is that I will need to modify the default SDM template to allow for more IPV4 ingress ACL.

At the bottom of that document there is an "ACL scalability" table, which seems to state that scalability (i.e. maximum)
ipV4 ACL entries for a catalyst 9500 HP is 12000 for ingress ACL
(it remains to be confirmed because the table is unclear refering to C9500 HP in a column named "Cisco catalyst 9300" (?) )

IOS 17.9 is recommended for C9500 so I checked the document :
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-9/configuration_guide/sys_mgmt/b_179_sys_mgmt_9500_cg/configuring_sdm_templates.html

which states in Table 4 :
"Table 4. Scale values and Default values for ACL features on the Cisco Catalyst 9500 Series Switches - High Performance"
That Ingress ACL can have a maximum of 26624

My question is simple, since the 2 documents have different figures for the same maximum, which one is right ?

Reza Sharifi · ‎07-17-2024

Hi,

The below link is an updated version from July 2022. It appears that using a custom SDM template, the ACL number can be increased to 52K. You can also validate this with your Cisco SE or sales rep to ensure the numbers are correct.

The total number of system resources assigned to a Customizable SDM Template is 416K for FIB features and 52K for ACL features. If the total number of all the resources specified exceeds 416K for FIB features or 52K for ACL features, the system starts to lower the number of allotted resources starting with the feature assigned the highest number. A higher priority value or number assigned to a feature indicates a lower priority.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-9/configuration_guide/sys_mgmt/b_179_sys_mgmt_9500_cg/configuring_sdm_templates.html

HTH

View solution in original post

Reza Sharifi · ‎07-17-2024

Hi,

The below link is an updated version from July 2022. It appears that using a custom SDM template, the ACL number can be increased to 52K. You can also validate this with your Cisco SE or sales rep to ensure the numbers are correct.

The total number of system resources assigned to a Customizable SDM Template is 416K for FIB features and 52K for ACL features. If the total number of all the resources specified exceeds 416K for FIB features or 52K for ACL features, the system starts to lower the number of allotted resources starting with the feature assigned the highest number. A higher priority value or number assigned to a feature indicates a lower priority.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-9/configuration_guide/sys_mgmt/b_179_sys_mgmt_9500_cg/configuring_sdm_templates.html

HTH

thibaultm · ‎07-17-2024

OK the document you mention is the second I linked so it's the right one, thanks

Reza Sharifi · ‎07-17-2024

That is correct. Also, it is not uncommon to see discrepancies in Cisco's documentation. So, you may want to check with your Cisco rep to confirm the numbers.

Good luck!

thibaultm · ‎07-18-2024

OK Thanks.
At the beginning I searched for a new version of document 1) but I did not find any.
I was surprised it was giving absolute limitations (in a akward way by the way) without referring to
any other version bound document.

That's why I wanted the conflict between those 2 documentation to be settled because going from 12000 to 26000 is a big change and for me it means going from impossible to possible.

Thanks for your quick reply

MHM Cisco World · ‎07-18-2024

Whatever doc list about tcam size it not so help ypu if tcam room of ipv4 acl is full

You need to move some room from other feature to ipv4 acl

For example 90% of engineer not use ipv6 so move all room for ipv6 to ipv4 acl.

In simple words you can change room but ypu can not change total size of tcam

MHM

thibaultm · ‎07-18-2024

"90% of engineer not use ipv6 so move all room for ipv6 to ipv4 acl"

it seems a good idea but reading the software configuration guide :
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-9/configuration_guide/sys_mgmt/b_179_sys_mgmt_9500_cg/configuring_sdm_templates.html

Does not show it is possible, because in the paragraph :
"Configuring a Customizable SDM Template for ACL Features"
the example provided in step 4 shows the command :
"Example:
Device(config-sdm-acl)#acl-ingress 26 priority 1"
which does not distinguish between IPV4 traffic and non-IPv4 Access Control Entries.
and I suppose that should the command existed for ipv4 traffic as well as for non-ipV4 traffic
a Cisco Software configuration guide would mention it, isn't it ?
otherwise where else ?
I know there is also a command reference but a software configuration guide is supposed to help you
through the configuration, and contain what is possible, no ?

As a result I have the question is it at all possible to remove a big bunch of TCAM entries for IPv6 ingress ACL,
while boosting TCAM entries for IPV4 ingress ACL ?

MHM Cisco World · ‎07-18-2024

sorry this feature only in NSK not in cat9K it called carving.

MHM

thibaultm · ‎07-18-2024

OK it means the relation between :
Security Ingress IPv4 Access Control Entries*: 7168 (current) - 7168 (proposed)
Security Ingress Non-IPv4 Access Control Entries*: 5120 (current) - 5120 (proposed)
can not be changed, supposing that relation is linear by setting :
acl-ingress 26 priority 1
it means having 26624 ingress ACL entries for both and assuming the ration between IPv4 and non IPv4 is maintained
it would give as maximum entries for :
Security Ingress IPv4 Access Control Entries*: 15530
because the software configuration guide Table 4 state this is a maximum.

Can any body confirm my understanding + assumption of linearity ?

thibaultm · ‎07-18-2024

Please answer my question :
Can any body confirm my understanding + assumption of linearity ?

If it is so I have an issue, the current level of ACL in the C6500 I have to migrate to the C9500 as calculated according to :
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/217266-validate-security-acls-on-catalyst-9000.html#toc-hId--1633804632
it holds in within that limit of 15530.
But according to that link the current ACL in the C6500 would consume on top of TCAM entries L4OPs and VCUs, and a lot of them more than the limit of 8 L4OP par ACL and more than the 192 ingress VCU for the whole chassis.

The links just above states that, in that case :
"VCU Exhaustion

Once over the L4OPs limit or out of VCUs, the software performs ACL expansion and creates new ACE entries in order to perform equivalent action without using VCUs.
Once this happens TCAM can become exhausted from these added entries."

My question is now where from in the TCAM are taken those new ACE entries, when L4OP and VCU are above their limit ?
Are they taken from Security Ingress IPv4 Access Control Entries or are they taken from other parts of the TCAM ?

thibaultm · ‎07-18-2024

Thanks for the advice.
I am perfectly aware that changing the SDM template does not create hardware but does only redispatch it

MHM Cisco World · ‎07-18-2024

https://community.cisco.com/t5/networking-blogs/customizable-sdm-templates-on-catalyst-9000-with-uadp-3-0-for/ba-p/4138431

MHM