07-12-2024 07:54 AM
Hello,
I will have to migrate a VSS of C6500 to a Stackwise virtual of C9500 high performance.
The 6500 has a lot of access-lists.
I have a 'show tcam counts'. of the 6500.
I know the TCAM in catalyst 9500 is very much optimized and I would like to know if a script exist to assess the TCAM consumption of a SWV of C9500 knowing the current consumption on a C6500 VSS.
I googled to find that with no success so I'm asking here if ever someone knows about that.
May be the TAC has some scripts internally ?
but then who to ask ?
Another way of doing that would be for instance, if a script existed that, based on a current TCAM consumption on a C6500, would issue a recommandation for the more appropriate SDM template for the C9500 High performance in SWV.
Does such a script exist ?
We are never the first to hit a new problem, even "Christopher Colombus is considered by some not to be the first..",
so may be others have met that and have found interesting tools ?
or it could give someone the idea to make one ?
Solved! Go to Solution.
07-12-2024 08:07 AM
07-12-2024 08:05 AM
- You may find this document useful : https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/217703-understand-hardware-resources-on-catalys.html
M.
07-12-2024 09:04 AM
Hello, I knew that one I read it already, thanks
07-12-2024 08:07 AM
07-12-2024 09:09 AM
Thanks I didn't know that one, it seems really interesting I'll dive into it.
But it seems to explain the unitary consumption of resources for ACLs making me understand, that If I want a script it'll be someone I know who'll have to write it...
07-13-2024 03:45 AM - edited 07-13-2024 03:48 AM
Hello, by the way I found the script I was looking for but for Nexus :
https://github.com/grindelwaldus/Cisco-TCAM-usage-calculator
Is TCAM management very different on Catalyst 9500, or could it provide a hint ?
I know the ACL syntax is not the same in Nexus compared to Catalyst, but some years ago
Cisco provided a translation webtool (I used it).
07-13-2024 03:56 AM - edited 07-13-2024 03:56 AM
friend
add one IPv4 ACL and the Link I share use it command calculate how much one ACL consume from TCAM
then multiply number of ACL you want to config with that number it give total number of TCAM
MHM
07-13-2024 04:05 AM
Thanks
For TCAM entries as I see there is 1 TCAM entry per permit so it would be possible to count them.
But there is L4OP and VCU, I don't know if it consumes a part of the TCAM too ?
07-13-2024 04:08 AM
so the ACL you use for calculate TCAM make it contain as much as you can
make it include L4 port include log include source host and destination subnet
and check
and it true tcam is different for each option add to ACL
MHM
07-16-2024 04:25 AM
Hello OK this time I've read thoroughly the document you linked (thanks again).
I took one ACL of my customer, this ACL includes :
275 permit = 275 TCAM entries
0 deny
173 eq (1 direction) = 173 L4OP + 173x2 VCU
6 range = 6 L4OP + 12 VCU
OK for the TCAM entries, they are taken from the availabilities in the sdm template :
This is the Core template.
Security Ingress IPv4 Access Control Entries*: 7168
so here is my question 1) but what about L4OP and VCU ?
I saw nothing in the document saying where they were taken from and were their consumption could be observed.
This is a bit worrying because, at the end of the document it is written :
VCU Exhaustion
Once over the L4OPs limit or out of VCUs, the software performs ACL expansion and creates new ACE entries in order to perform equivalent action without using VCUs.
Once this happens TCAM can become exhausted from these added entries.
07-16-2024 09:59 AM
Sorry I've just noticed that L4OPs and VCU scalabilitys is provided at the bottom of the document in a table under
"ACL Scalability:"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide