02-27-2014 12:19 PM - edited 03-07-2019 06:26 PM
Hi,
i configured a vlan for on a 3750 switch, when i try to access on of that vlan servers i don't get any response, i did a capture on that vlan interface and found that my pc sends the syn and te server recives it and it sends the syn,ack back but this sync,ack get dropped on the vlan int and my pc doesn't recive that syn,ack message, by the way there is no l2 or l3 ACL filtering the traffic. in the log i see following error messages:
13:43:17 CST: %ACLMGR-4-RELOADED: Reloading ACL output label 5 VLAN interfaces 2994 IPv4/Mac feature
13:44:20 CST: %ACLMGR-4-UNLOADING: Unloading ACL output label 5 VLAN interfaces 2994 IPv4/Mac feature
13:44:20 CST: %ACLMGR-4-ACLTCAMFULL: ACL TCAM Full. Software Forwarding packets on Output label 5 on L3 L2
any idea about what is causing the problem ?
Thanks
Solved! Go to Solution.
02-27-2014 12:47 PM
Sahir,
Can you post the results of 'show sdm prefer'?
What specific model is this 3750 and what IOS is it currently running?
02-27-2014 01:01 PM
Sahir,
Sounds like you may need to chang your SDM template.
Catalyst 3750 SDM Desktop Template | |||
---|---|---|---|
Resource | Default | Routing | VLAN |
Unicast MAC address | 6K | 3K | 12K |
IGMP groups and Multicast routes | 1K | 1K | 1K |
Unicast routes | 8K | 11K | 0 |
| 6K | 3K | 0 |
| 2K | 8K | 0 |
PBR ACEs | 0 | 512 | 0 |
QoS ACEs | 512 | 512 | 512 |
Security ACEs | 1K | 1K | 1K |
VLANs | 1K | 1K | 1K |
13:44:20 CST: %ACLMGR-4-ACLTCAMFULL: ACL TCAM Full. <---
Can you post the results of 'show platform acl label 5' ? and 'show platform tcam utilization' ?
02-27-2014 01:12 PM
Can you post the following command?
'show platform tcam utilization'
But it looks like you will need to change your SDM template.
02-27-2014 01:23 PM
Sahir,
Here is your problem.
IPv4 security aces: 1024/1024 992/992
Your current SDM profile does not allow for any more ACEs.
From what I understand, I don't think you can go any higher earlier on the 3750s than 1k.
You could try cleaning up some entries.
Here is a good link for you.
02-27-2014 12:47 PM
Sahir,
Can you post the results of 'show sdm prefer'?
What specific model is this 3750 and what IOS is it currently running?
02-27-2014 12:52 PM
John,
the device is cisco WS-C3750G-48TS
show sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
02-27-2014 01:01 PM
Sahir,
Sounds like you may need to chang your SDM template.
Catalyst 3750 SDM Desktop Template | |||
---|---|---|---|
Resource | Default | Routing | VLAN |
Unicast MAC address | 6K | 3K | 12K |
IGMP groups and Multicast routes | 1K | 1K | 1K |
Unicast routes | 8K | 11K | 0 |
| 6K | 3K | 0 |
| 2K | 8K | 0 |
PBR ACEs | 0 | 512 | 0 |
QoS ACEs | 512 | 512 | 512 |
Security ACEs | 1K | 1K | 1K |
VLANs | 1K | 1K | 1K |
13:44:20 CST: %ACLMGR-4-ACLTCAMFULL: ACL TCAM Full. <---
Can you post the results of 'show platform acl label 5' ? and 'show platform tcam utilization' ?
02-27-2014 01:08 PM
here you go:
show platform acl label 5
IPv4/MAC ACL label
------------------
Unloaded due to lack of space:
OutputIPVlanMap
Input Op Select Index 4:
Output Op Select Index 0:
Input Features:
Interfaces or VLANs: Vl2998
Vlan Map: S-Private, 242 VMRs.
Access Group: (none), 0 VMRs.
Multicast Boundary: (none), 0 VMRs.
uRPF : (none), 0 VMRs.
Output Features:
Interfaces or VLANs: Vl2994
Bridge Group Member: no
Vlan Map: IS-Private, 183 VMRs.
Access Group: (none), 0 VMRs.
IPv6 ACL label
--------------
Input Op Select Index 4:
Output Op Select Index 0:
Input Features:
Interfaces or VLANs: Vl2998
Traffic Filter: (none), 0 VMRs.
uRPF ACL:
uRPF ACL : (none), 0 VMRs.
Output Features:
Interfaces or VLANs: Vl2994
Traffic Filter: (none), 0 VMRs.
02-27-2014 01:12 PM
Can you post the following command?
'show platform tcam utilization'
But it looks like you will need to change your SDM template.
02-27-2014 01:19 PM
show platform tcam utilization
CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values
Unicast mac addresses: 400/3200 27/129
IPv4 IGMP groups + multicast routes: 152/1216 7/27
IPv4 unicast directly-connected routes: 400/3200 27/129
IPv4 unicast indirectly-connected routes: 1040/8320 383/2967
IPv4 policy based routing aces: 384/512 20/36
IPv4 qos aces: 768/768 324/324
IPv4 security aces: 1024/1024 992/992
Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization
02-27-2014 01:23 PM
Sahir,
Here is your problem.
IPv4 security aces: 1024/1024 992/992
Your current SDM profile does not allow for any more ACEs.
From what I understand, I don't think you can go any higher earlier on the 3750s than 1k.
You could try cleaning up some entries.
Here is a good link for you.
02-27-2014 01:29 PM
John,
I think you are right, SDM profile is the issue, i will clear some of the entries and see if that will help.
i appreciate your help.
Thanks a lot.
Sahir
03-06-2014 07:38 PM
John,
for unicast routes in the table, for example 8k that is divided int 6k and 2k for both directly connected hosts and indirect routes, is the 8k shared value or is it restriced for each of the resources, for example if the indirect routes exeeds 2k will it use any of the other 6k resources ?
Catalyst 3750 SDM Desktop Template | |||
---|---|---|---|
Resource | Default | Routing | VLAN |
Unicast MAC address | 6K | 3K | 12K |
IGMP groups and Multicast routes | 1K | 1K | 1K |
Unicast routes | 8K | 11K | 0 |
| 6K | 3K | 0 |
| 2K | 8K | 0 |
PBR ACEs | 0 | 512 | 0 |
QoS ACEs | 512 | 512 | 512 |
Security ACEs | 1K | 1K | 1K |
VLANs | 1K | 1K | 1K |
03-06-2014 11:12 PM
Is this issue resolved ?
03-07-2014 05:21 AM
yes since it needs sdm template to be changed, but my last question is about the
unicast routes cuz i have more than 2k of Indirect routes and if i change the sdm template to access i will drop from 8k for indirect routes to 2k which will leads to another routing issue unless if the unicast routes are shared resources which will fix everything.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide