01-09-2019 07:36 AM - edited 03-08-2019 04:59 PM
Hi I have a Nexus 9K-YC-EX with default hardware tcam profile; when I try to set un IP ACL under a L2 port the ACL don’t filter any traffic.
--------------------------------------------------------------------------------
!configuration on port:
!
interface Ethernet1/1
description P7 10 G
ip access-group ACL_IN_P71 in
switchport
switchport access vlan 30
no shutdown
!
--------------------------------------------------------------------------------
I tred to change the "ip access-group" to "ip port access-group" on the interface, but the system show me a message of ACLQOS and TCAM failure.
NX93180(config-if)# ip port access-group ACL_IN_P71 in
TCAM region is not configured. Please configure TCAM region and retry the command
NX93180(config-if)# 2019 Jan 8 09:25:01 NX93180 %$ VDC-1 %$ %ACLQOS-SLOT1-2-ACLQOS_FAILED: ACLQOS failure: TCAM region is not configured for feature PACL class IPv4 direction ingress. Please configure TCAM region Ingress PACL [ing-ifacl] and retry the command.
NX93180(config-if)#
--------------------------------------------------------------------------------
show system internal access-list globals
<partial output>
--------------------------------------------------------------------------------
------
INSTANCE 0 TCAM Region Information:
--------------------------------------------------------------------------------
------
Ingress:
--------
Region TID Base Size Width
--------------------------------------------------------------------------------
------
NAT 13 0 0 1
Ingress PACL 1 0 0 1
Ingress VACL 2 0 0 1
Ingress RACL 3 0 1792 1
Ingress RBACL 4 0 0 1
Ingress L2 QOS 5 1792 256 1
Ingress L3/VLAN QOS 6 2048 512 1
Ingress SUP 7 2560 512 1
Ingress L2 SPAN ACL 8 3072 256 1
Ingress L3/VLAN SPAN ACL 9 3328 256 1
Ingress FSTAT 10 0 0 1
SPAN 12 3584 512 1
Ingress REDIRECT 14 0 0 1
--------------------------------------------------------------------------------
-----
Total configured size: 4096
Remaining free size: 0
Note: Ingress SUP region includes Redirect region
Egress:
--------
Region TID Base Size Width
--------------------------------------------------------------------------------
------
Egress VACL 15 0 0 1
Egress RACL 16 0 1792 1
Egress SUP 18 1792 256 1
Egress L2 QOS 19 0 0 1
Egress L3/VLAN QOS 20 0 0 1
--------------------------------------------------------------------------------
-----
Total configured size: 2048
Remaining free size: 0
--------------------------------------------------------------------------------
------
INSTANCE 1 TCAM Region Information:
--------------------------------------------------------------------------------
------
Ingress:
--------
Region TID Base Size Width
--------------------------------------------------------------------------------
------
NAT 13 0 0 1
Ingress PACL 1 0 0 1
Ingress VACL 2 0 0 1
Ingress RACL 3 0 1792 1
I see that PACL don’t have recourses assigned.
Question 1:
I think to reduce 256 or 512 from RACL and set to PACL, but before to proceed with this I want to know if “ip port access-group acl-name” resolve my issue of traffic filter under a L2 port.
Question 2:
What is the best practice of values to set on hardware tcam recourses of PACL al RACL.
01-11-2019 05:46 AM
Hey Hans,
Have you checked out our Nexus 9000 TCAM Carving guide by chance? I think this will likely sort some of your questions.
There are no specific TCAM best practices between PACL vs. RACL aside from the ones listed in the document. All deployments are different and one customer may need tons of RACL whereas you may not use RACL at all.
To answer your question -- That is correct; carving the ing-ifacl region in TCAM will allow you to configure PACLs on L2 ports.
Hope that helps.
01-11-2019 02:05 PM
Hi Andrea, thank you for your support.
Yes I was saw the doc Nexus 9000 TCAM Carving before as reference in other post.
I decide get out 512 of RACL to set later at PACL, I used 512 to PACL because is de default value on Nexus 93120.
The configuration applied is:
hardware access-list tcam region ing-racl 1280
hardware access-list tcam region ing-ifacl 512
Save and reload, after that the ACL works on the L2 port.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide