cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1219
Views
0
Helpful
3
Replies

PBR ACL merge failure

morzain
Level 1
Level 1

Hey everyone,

Normally I am pretty good at finding the answers I am looking for by scouring the web, however this one has us puzzled. We have a 6509 sup720 running 12.2(33)SXH4.

While adding ACL entries to an access-list used for policy based routing we got the following errors:

:FM-ODM: Maximum Number of entries exceeded, ODM gives up

%FM-2-ACL_MERGE_NUM_ACES: ACL merge aborted due to number of ACEs

threshold for features on interface GigabitEthernet1/16 in ingress direction, traffic may be

switched in software

:FM-ODM: Maximum Number of entries exceeded, ODM gives up!

%FM-2-ACL_MERGE_NUM_ACES: ACL merge aborted due to number of ACEs

threshold for features on interface Port-channel4 in ingress direction, traffic may be

switched in software

These errors while adding the access-list entries resulted in traffic going to software, which crushed the CPU on the device causing mayhem on our network.

The only information we could find on this is the following:

Explanation The configured features for this interface may have caused the merge to abort because of hitting the 64000 ACE merge threshold. The traffic on this interface and the interfaces sharing the TCAM label with this interface will be sent to the software.

Recommended Action Redefine and reapply or unconfigure one or more features on the interface.

Our TCAM usage appears to be at 11 percent, and the only thing configured on those interfaces is PBR and netflow so we are at a loss as to what could cause this, and very wary to add any additional PBR settings.

Any help or insight would be very appreciated :-)

--Mike

3 Replies 3

Roberto Salazar
Level 8
Level 8

The message means you are running out of the TCAM resource.

Do you have multiple ACL in the route-map with the deny entry?

Without much detail on what kind of ACL you have I can only guess that the issue is the way the ACL expands inefficiently into TCAM.

Check your ACL see if you have multiple ACL that denies the same addresses.

What I found in the past to resolve this type of issue is change the route-map ACL to all permit entry. with one deny entry ACL (

include all deny entry) at the first route-map statement without setting the next-hop.

the example:

route-map TEST permit 5

description ### DENY ACE ###

match ip address 101

access-list 101 deny udp host 192.168.104.239 eq bootps any

access-list 101 deny udp host 192.168.104.239 eq domain 192.168.2.0 0.0.0.255

access-list 101 deny udp host 192.168.104.239 eq domain 192.168.3.0 0.0.0.255

.....

And then you can remove the deny ACE from all your PERMIT PBR.

Hello,

Thank you for your input, you are indeed correct we do have several overlapping Deny ACL's.

Here is an example with modified IPs:

access-list 2069 deny ip any 192.168.128.0 0.0.63.255

access-list 2069 deny ip any 192.169.128.0 0.0.127.255

access-list 2069 deny ip any 192.170.224.0 0.0.31.255

access-list 2069 deny ip any 192.171.0.0 0.0.15.255

access-list 2069 deny ip any 192.172.192.0 0.0.63.255

access-list 2069 deny ip any 192.173.128.0 0.0.127.255

access-list 2069 deny ip any 192.174.128.0 0.0.63.255

access-list 2069 permit ip host 192.168.140.69 any

access-list 2075 deny ip any 192.168.128.0 0.0.63.255

access-list 2075 deny ip any 192.169.128.0 0.0.127.255

access-list 2075 deny ip any 192.170.224.0 0.0.31.255

access-list 2075 deny ip any 192.171.0.0 0.0.15.255

access-list 2075 deny ip any 192.172.192.0 0.0.63.255

access-list 2075 deny ip any 192.173.128.0 0.0.127.255

access-list 2075 deny ip any 192.174.128.0 0.0.63.255

access-list 2075 permit ip host 192.168.140.75 any

route-map pbr permit 2069

match ip address 2069

set ip next-hop 10.0.0.253

!

route-map pbr permit 2075

match ip address 2075

set ip next-hop 10.0.0.248

Since it is a multihomed network, we are using set ip next hop out particular providers, however if the traffic is destined for an IP inside our network we obviously dont want the PBR to take effect.

We did not think it was a issue with the TCAM being full because "show tcam counts" shows the ACL TCAM usage at 11 percent for masks, and 8 percent for entries.

However I will take your advice and see if that solves our problem. Thank you very much.

Hello,

 

I know this is a very old post.

But i am facing same issue with my core switch  WS-C6509-E (R7000), Version 12.2(33).

i am getting both errors:

%FM-2-ACL_MERGE_NUM_ACES: ACL merge aborted due to number of ACEs threshold for features on interface [chars] in [chars] direction, traffic may be switched in software 

And

%FM-ODM: Maximum Number of entries exceeded, ODM gives up!

I don't have huge ACL, but I have wccp enabled on all my VLAN interfaces with an ACL around 130 deny ACE.

Would an upgrade to a newest image will solve my issue?

Thank you.

Review Cisco Networking for a $25 gift card