cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
598
Views
0
Helpful
1
Replies

Nexus N9K: TCAM Fragmented Entries

grindelwaldus
Level 1
Level 1

Hi guys.

I have several ACLs configured on my N9K. I see a lot of 'fragmented' entries like these:

 [0x0472:0x0474:0x0474] permit tcp 0.0.0.0/0 x.x.x.x/26 fragment routeable 0x1 [0]

It always comes together with 'normal' entries like these:
[0x0473:0x0475:0x0475] permit tcp 0.0.0.0/0 x.x.x.x/26 eq 443 routeable 0x1 [0]
[0x0474:0x0476:0x0476] permit tcp 0.0.0.0/0 x.x.x.x/26 eq 1234 routeable 0x1 [0]
[0x0475:0x0477:0x0477] permit tcp 0.0.0.0/0 x.x.x.x/26 eq 2345 routeable 0x1 [0]
[0x0476:0x0478:0x0478] permit tcp 0.0.0.0/0 1x.x.xx/26 eq 80 routeable 0x1 [0]

One of my ACLs is consuming about 800 ACEs, about 100 of which are those fragmented entries.

 

This document refers to this issue and provide a solutuon to it. It says:

"Default programming model creates parallel non-first fragment entry in hardware for each ACE. This entry matches same source/destination IP addresses and protocol as original ACE, but with no L4 port information and matching on non-initial fragments.

Default fragment handling results in 2X CL TCAM utilization. Configuration knob provided to permit or deny ALL non-initial fragments<...>"

 

Due to my previous experiences I'm now really careful when it comes to doing anything regarding TCAM optimization, so I'd like to understand 1)why exactly TCAM is originally programmed in this non-optimal fashion and 2)what are possible drawbacks of enabling the optimization.

1 Accepted Solution

Accepted Solutions

grindelwaldus
Level 1
Level 1

Got an answer from Cisco TAC.

TLDR: this 'fragment' entries are for fragmented packets, which only have IP headers and don't have TCP/UDP headers. Found out it's documented here: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html

View solution in original post

1 Reply 1

grindelwaldus
Level 1
Level 1

Got an answer from Cisco TAC.

TLDR: this 'fragment' entries are for fragmented packets, which only have IP headers and don't have TCP/UDP headers. Found out it's documented here: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html

Review Cisco Networking for a $25 gift card