01-29-2019 01:08 PM
Hello everyone
When I want to add more IP addresses to object-groups which are used in ACLs I receive the below error and I can not add more IP address to my object-group
pfilter_ea[292]: %PKT_INFRA-FEA_DLL-3-TCAM_ERR : TCAM create region error: 'prm_server' detected the 'resource not available' condition 'TCAM resource exhausted.'
Based on IOS XR system Error Message Reference Guide , the most common cause of this error is that there no more free TCAM entries available for ACL
Can someone please help me how to fix this problem ?
Thank you
Can somebody please help me how to
01-30-2019 11:34 AM
Can you send show access-lists ipv4 <acl name> hardware <direction> resource-usage loc <lc>?
This will tell us how many TCAM entries are currently used.
Also send show prm server tcam summary all all all loc <lc> and show controller np ports all loc <lc> and let us know which interface you are trying to apply the config to.
The prm command will tell us how many TCAM entries are used by all apps on each NP and how many entries are free.
Also note that in order to edit an ACL and commit it we must have in TCAM 1x and 1y TCAM entries (these equate to the existing entries x and the new entries y) so since you are adding entries you will need at least 2x entries until the commit goes through as we do make before break. An alternative is to try removing the ACL from the interface, modifying the object-group and then applying the ACL to the interface to avoid the make before break and double TCAM entries. Another option is to use ACL compression, when you apply the acl like ipv4 access-group <name> <direction> add the following to the end, compress level 1. There is a performance impact but the amount of TCAM entries used will go down.
Thanks,
Sam
09-29-2021 08:06 AM
Hi
What kind of performance impact is expected when enabling compression for ACLs?
01-30-2019 12:53 PM
Hi
Thank you for your time and consideration
I removed some unnecessary ACL rules and then I could add IP addresses to object-groups
I have several ACLs applied on router sub-interfaces and results are shown below:
I have applied one ACL on more than 10 sub-interface for ingress for different purposes.
1-show access-lists ipv4 <acl name> hardware <direction> resource-usage loc <lc> :
Wed Jan 30 15:06:05.340 EST
a)
NP : 0
Rules (ACE) : 8
ACL compression level : 0
Fields compressed : None
TCAM Entries used : 2222 ( 24k total)
TCAM Key Width : 160 ( 0 total for compressed fields)
----------------------------------------------------------
NP : 1
Rules (ACE) : 8
ACL compression level : 0
Fields compressed : None
TCAM Entries used : 2222 ( 24k total)
TCAM Key Width : 160 ( 0 total for compressed fields)
----------------------------------------------------------
NP : 2
Rules (ACE) : 8
ACL compression level : 0
Fields compressed : None
TCAM Entries used : 2222 ( 24k total)
TCAM Key Width : 160 ( 0 total for compressed fields)
b)
NP : 2
Rules (ACE) : 12
ACL compression level : 0
Fields compressed : None
TCAM Entries used : 2260 ( 24k total)
TCAM Key Width : 160 ( 0 total for compressed fields)
----------------------------------------------------------
NP : 3
Rules (ACE) : 12
ACL compression level : 0
Fields compressed : None
TCAM Entries used : 2260 ( 24k total)
TCAM Key Width : 160 ( 0 total for compressed fields)
c)
NP : 2
Rules (ACE) : 12
ACL compression level : 0
Fields compressed : None
TCAM Entries used : 2262 ( 24k total)
TCAM Key Width : 160 ( 0 total for compressed fields)
d)
NP : 1
Rules (ACE) : 4
ACL compression level : 0
Fields compressed : None
TCAM Entries used : 122 ( 24k total)
TCAM Key Width : 160 ( 0 total for compressed fields)
2-I can not use #show prm because I got this error
RP/0/RSP0/CPU0:Router#show prm ?
% Invalid input detected at '^' marker.
RP/0/RSP0/CPU0:Main-Router#show prm
Instead I put result from #show pfilter-ea fea summary location 0/0/CPU0
******** NP Resource Usage Summary ************
Chan # 160-bit TCAM Entries 640-bit TCAM Entries Stats SS Hash Entries
========================================================================
0 2222 24 17 0
1 2344 24 21 0
2 6736 24 41 0
3 2256 0 12 0
4 0 0 0 0
5 0 0 0 0
6 0 0 0 0
7 0 0 0 0
3-show controller np ports all loc <lc> :
Wed Jan 30 15:09:07.401 EST
Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
0 -- 0 TenGigE0/0/0/0 - TenGigE0/0/0/2
1 -- 0 TenGigE0/0/0/3 - TenGigE0/0/0/5
2 -- 1 TenGigE0/0/0/6 - TenGigE0/0/0/8
3 -- 1 TenGigE0/0/0/9 - TenGigE0/0/0/11
4 -- 2 TenGigE0/0/0/12 - TenGigE0/0/0/14
5 -- 2 TenGigE0/0/0/15 - TenGigE0/0/0/17
6 -- 3 TenGigE0/0/0/18 - TenGigE0/0/0/20
7 -- 3 TenGigE0/0/0/21 - TenGigE0/0/0/23
How can I find out the maximum size of TCAM and how to change it for future if it possible?
Thank you
01-30-2019 12:58 PM
show prm server tcam summary all all all loc <lc> will tell you, you have a -TR card it seems so it has 24k entries in the v4 space. See below annotated.
Thu Jan 31 03:24:02.851 EST
Node: 0/3/CPU0:
----------------------------------------------------------------
TCAM summary for NP0:
TCAM Logical Table: TCAM_LT_L2 (1)
Partition ID: 0, priority: 2, valid entries: 6, free entries: 2042
Partition ID: 1, priority: 2, valid entries: 0, free entries: 2048
Partition ID: 2, priority: 1, valid entries: 0, free entries: 2048
Partition ID: 3, priority: 1, valid entries: 203, free entries: 24373
Partition ID: 4, priority: 0, valid entries: 22, free entries: 67562
TCAM Logical Table: TCAM_LT_ODS2 (2), free entries: 61985, resvd 128 <--- v4 space with total free entries
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_IFIB (0)
Total: 1 vmr_ids, 8005 active entries, 8005 allocated entries.
Application ID: NP_APP_ID_QOS (1)
Total: 1 vmr_ids, 13 active entries, 13 allocated entries.
Application ID: NP_APP_ID_ACL (2)
Total: 6 vmr_ids, 27725 active entries, 27725 allocated entries.
Application ID: NP_APP_ID_AFMON (3)
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Application ID: NP_APP_ID_LI (4)
Total: 1 vmr_ids, 0 active entries, 0 allocated entries.
Application ID: NP_APP_ID_PBR (5)
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
TCAM Logical Table: TCAM_LT_ODS8 (3), free entries: 15149, resvd 64 <-- v6 free entries
ACL Common Region: 448 entries allocated. 448 entries free
Application ID: NP_APP_ID_IFIB (0)
Total: 1 vmr_ids, 703 active entries, 703 allocated entries.
Application ID: NP_APP_ID_QOS (1)
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Application ID: NP_APP_ID_ACL (2)
Total: 4 vmr_ids, 20 active entries, 20 allocated entries.
Application ID: NP_APP_ID_PBR (5)
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Application ID: NP_APP_ID_EDPL (6)
Total: 0 vmr_ids, 0 active entries, 0 allocated entries.
Thanks,
Sam
01-30-2019 01:12 PM
Thank you
But I can not use show prm command
I do not why ?
It dose not accept server after prm
01-30-2019 07:58 PM
It requires the cisco-support task group READ attribute, check show user tasks to see if you have that task assigned or not.
Sam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide