Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1375
Views
5
Helpful
2
Replies

Nexus9000 93180YC-EX - NXOS 7.0(3)I6(1) - PACL Resources

Hans Martinez
Level 1
Level 1

‎01-09-2019 07:36 AM - edited ‎03-08-2019 04:59 PM

Hi I have a Nexus 9K-YC-EX with default hardware tcam profile; when I try to set un IP ACL under a L2 port the ACL don’t filter any traffic.

 

--------------------------------------------------------------------------------

!configuration on port:

!

interface Ethernet1/1

   description P7 10 G

   ip access-group ACL_IN_P71 in

   switchport

   switchport access vlan 30

   no shutdown

!

--------------------------------------------------------------------------------

 

I tred to change the "ip access-group" to "ip port access-group" on the interface, but the system show me a message of ACLQOS and TCAM failure.

 

NX93180(config-if)# ip port access-group ACL_IN_P71 in

 TCAM region is not configured. Please configure TCAM region and retry the command

NX93180(config-if)# 2019 Jan  8 09:25:01 NX93180 %$ VDC-1 %$ %ACLQOS-SLOT1-2-ACLQOS_FAILED: ACLQOS failure: TCAM region is not configured for feature PACL class IPv4 direction ingress. Please configure TCAM region Ingress PACL [ing-ifacl] and retry the command.

 

NX93180(config-if)#

 

--------------------------------------------------------------------------------

 

show system internal access-list globals

<partial output>

 

--------------------------------------------------------------------------------

------

                  INSTANCE 0 TCAM Region Information:

--------------------------------------------------------------------------------

------

Ingress:

--------

                     Region          TID     Base     Size     Width    

--------------------------------------------------------------------------------

------

                          NAT         13        0        0         1

                 Ingress PACL          1        0        0         1

                 Ingress VACL          2        0        0         1

                 Ingress RACL          3        0     1792         1

                Ingress RBACL          4        0        0         1

               Ingress L2 QOS          5     1792      256         1

          Ingress L3/VLAN QOS          6     2048      512         1

                  Ingress SUP          7     2560      512         1

          Ingress L2 SPAN ACL          8     3072      256         1

     Ingress L3/VLAN SPAN ACL          9     3328      256         1

                Ingress FSTAT         10        0        0         1

                         SPAN         12     3584      512         1

             Ingress REDIRECT         14        0        0         1

--------------------------------------------------------------------------------

-----

Total configured size: 4096

Remaining free size: 0

Note: Ingress SUP region includes Redirect region

 

Egress:

--------

                     Region          TID     Base     Size     Width    

--------------------------------------------------------------------------------

------

                  Egress VACL         15        0        0         1

                  Egress RACL         16        0     1792         1

                   Egress SUP         18     1792      256         1

                Egress L2 QOS         19        0        0         1

           Egress L3/VLAN QOS         20        0        0         1

--------------------------------------------------------------------------------

-----

Total configured size: 2048

Remaining free size: 0

 

 

--------------------------------------------------------------------------------

------

                  INSTANCE 1 TCAM Region Information:

--------------------------------------------------------------------------------

------

Ingress:

--------

                     Region          TID     Base     Size     Width    

--------------------------------------------------------------------------------

------

                          NAT         13        0        0         1

                 Ingress PACL          1        0        0         1

                 Ingress VACL          2        0        0         1

                 Ingress RACL          3        0     1792         1

 

 

 

I see that PACL don’t have recourses assigned.

 

Question 1:

I think to reduce 256 or 512 from RACL and set to PACL, but before to proceed with this I want to know if “ip port access-group acl-name” resolve my issue of traffic filter under a L2 port.

 

Question 2:

What is the best practice of values to set on hardware tcam recourses of PACL al RACL.

Labels:
0 Helpful
2 Replies 2

Andrea Testino
Cisco Employee
Cisco Employee

‎01-11-2019 05:46 AM

Hey Hans,

 

Have you checked out our Nexus 9000 TCAM Carving guide by chance? I think this will likely sort some of your questions.

 

There are no specific TCAM best practices between PACL vs. RACL aside from the ones listed in the document.  All deployments are different and one customer may need tons of RACL whereas you may not use RACL at all.

 

To answer your question -- That is correct; carving the ing-ifacl region in TCAM will allow you to configure PACLs on L2 ports.

 

Hope that helps.

 

 

- Andrea, CCIE #56739 R&S

Hans Martinez
Level 1
Level 1
In response to Andrea Testino

‎01-11-2019 02:05 PM

Hi Andrea, thank you for your support.

 

Yes I was saw the doc Nexus 9000 TCAM Carving before as reference in other post.

I decide get out 512 of RACL to set later at PACL, I used 512 to PACL because is de default value on Nexus 93120.

 

 

The configuration applied is:

 

hardware access-list tcam region ing-racl 1280

hardware access-list tcam region ing-ifacl 512

Save and reload, after that the ACL works on the L2 port.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card