[c-nsp] 3550s, SDM, and Feature Manager

Brandon Ewing nicotine at warningg.com
Tue Apr 20 02:53:52 EDT 2010 

Can anyone provide some kind of insight as to exactly how the
feature-manager on a 3550 handles assigning Vlan interfaces to vlan-labels?
I ran into some issues tonight attempting to deploy an ACL across all
interfaces on a 3550, where the switch started switching some Vlan
interfaces in software.  From what I can tell, the switch is organizing
different Vlans into different vlan-labels in feature manager, and each
vlan-label would compile and attempt to install my ACL, instead of all the
vlan interfaces being grouped into a single vlan-label, that only compiled
the ACL once.  This is causing a major issue, as I'm unable to actually
deploy a 11-line ACL on 40 Vlan interfaces on a single 3550 with the default
SDM template (1K security ACL TCAM entries).

From switch to switch the number of vlan-labels and vlans changes -- I'm
really only running into TCAM exhaustion issues on 10% of my switches that I
attempt this on.  But I am curious as to what's going on internally, and why
two interfaces, that seem to be relatively identical, would end up on
different vlan-labels.

For example -- two interfaces, both configured almost identically, but
assigned to different vlan-labels.  Output of most of the relevant commands
I know follows.  If anyone can provide any insight, it would be appreciated.

interface Vlan104
 description deviceid=12345/server1.example.com
 ip address 10.10.34.17 255.255.255.248 secondary
 ip address 192.168.184.233 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
end

interface Vlan137
 description object_id=54321/server2.example.com
 ip address 172.17.96.49 255.255.255.248 secondary
 ip address 192.168.187.185 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
end

#show fm vlan-label 8
Input Features:
  Interfaces or VLANs:  Vl104
  Priority: normal
  Bits: NoUnreach NoRedirect
  Vlan Map: (none), 0 VMRs.
  Access Group: (none), 1 VMRs.
  Multicast Boundary: (none), 0 VMRs.
Output Features:
  Interfaces or VLANs:
  Priority: low
  Bridge Group Member: no
  Vlan Map: (none), 0 VMRs.
  Access Group: (none), 0 VMRs.

#show fm vlan-label 6
Input Features:
  Interfaces or VLANs:  Vl137
  Priority: normal
  Bits: NoUnreach NoRedirect
  Vlan Map: (none), 0 VMRs.
  Access Group: (none), 1 VMRs.
  Multicast Boundary: (none), 0 VMRs.
Output Features:
  Interfaces or VLANs:
  Priority: low
  Bridge Group Member: no
  Vlan Map: (none), 0 VMRs.
  Access Group: (none), 0 VMRs.

#show tcam inacl 1 vlan-l 8
Label Value: 8200(vlan label 8) Number of entries: 12
Index Ts CAM                                                            As data
================================================================================
4     msk F4 00 00 00 00 E0 00 00 00 80 FF 00 00 C0 00 FF 00 00
36    1   94 00 00 00 00 E0 00 00 00 80 08 00 00 00 00 09 00 00             00260086
5     msk F5 00 00 00 00 E0 00 00 00 80 FF 80 00 C0 00 00 FF FF
37    4   94 00 00 00 00 E0 00 00 00 80 08 00 00 40 00 00 02 08             00260086
6     msk F6 00 00 00 00 00 00 00 00 80 FF 00 00 C0 00 FE 00 00
52    1   96 00 00 00 00 00 00 00 00 80 08 00 00 00 00 58 00 00             00260086
7     msk F6 00 00 00 00 00 00 00 00 80 FF 00 00 C0 00 FF 00 00
57    4   96 00 00 00 00 00 00 00 00 80 08 00 00 00 00 09 00 00             00260086
7     msk F6 00 00 00 00 00 00 00 00 80 FF 00 00 C0 00 FF 00 00
59    64  96 00 00 00 00 00 00 00 00 80 08 00 00 00 00 67 00 00             00260086
9     msk FC FF FF 00 00 00 00 00 00 80 FF 00 01 00 00 00 00 00
75    152 90 08 06 00 00 00 00 00 00 80 08 00 01 00 00 00 00 00             00260086
10    msk F7 00 00 00 00 00 00 00 00 80 FF 80 00 C0 FF FF 00 00
84    1   96 00 00 00 00 00 00 00 00 80 08 00 00 80 00 B3 00 00             00260086
11    msk F7 00 00 00 00 00 00 00 00 80 FF 80 00 C0 00 00 FF FF
89    4   96 00 00 00 00 00 00 00 00 80 08 00 00 80 00 00 00 B3             00260086
11    msk F7 00 00 00 00 00 00 00 00 80 FF 80 00 C0 00 00 FF FF
91    64  96 00 00 00 00 00 00 00 00 80 08 00 00 40 00 00 02 08             00260086
13    msk FE FF FF 00 00 00 00 00 00 80 FF 00 00 00 00 00 00 00
107   1   92 08 06 00 00 00 00 00 00 80 08 00 00 00 00 00 00 00             00260086
IP default entry
202   msk F 0 1 0 0 1 00 FF 0 00 0 0 0000 00000000 0000 00000000 0000
1624  80  9 0 1 0 0 1 00 08 0 00 0 0 0000 00000000 0000 00000000 0000 00002082
non-IP default entry
203   msk F 0 1 0 0 1 00 FF 0 00 0 0 0000 000000000000  000000000000
1625  45  9 0 0 0 0 1 00 08 0 00 0 0 0000 000000000000  000000000000  00000082


#show tcam inacl 1 vlan-label 6
Label Value: 8198(vlan label 6) Number of entries: 12
Index Ts CAM                                                            As data
================================================================================
4     msk F4 00 00 00 00 E0 00 00 00 80 FF 00 00 C0 00 FF 00 00
44    1   94 00 00 00 00 E0 00 00 00 80 06 00 00 00 00 09 00 00             00260086
5     msk F5 00 00 00 00 E0 00 00 00 80 FF 80 00 C0 00 00 FF FF
45    4   94 00 00 00 00 E0 00 00 00 80 06 00 00 40 00 00 02 08             00260086
6     msk F6 00 00 00 00 00 00 00 00 80 FF 00 00 C0 00 FE 00 00
60    1   96 00 00 00 00 00 00 00 00 80 06 00 00 00 00 58 00 00             00260086
9     msk FC FF FF 00 00 00 00 00 00 80 FF 00 01 00 00 00 00 00
69    243 90 08 06 00 00 00 00 00 00 80 06 00 01 00 00 00 00 00             00260086
8     msk F6 00 00 00 00 00 00 00 00 80 FF 00 00 C0 00 FF 00 00
72    1   96 00 00 00 00 00 00 00 00 80 06 00 00 00 00 09 00 00             00260086
8     msk F6 00 00 00 00 00 00 00 00 80 FF 00 00 C0 00 FF 00 00
74    16  96 00 00 00 00 00 00 00 00 80 06 00 00 00 00 67 00 00             00260086
10    msk F7 00 00 00 00 00 00 00 00 80 FF 80 00 C0 FF FF 00 00
92    60  96 00 00 00 00 00 00 00 00 80 06 00 00 80 00 B3 00 00             00260086
13    msk FE FF FF 00 00 00 00 00 00 80 FF 00 00 00 00 00 00 00
101   86  92 08 06 00 00 00 00 00 00 80 06 00 00 00 00 00 00 00             00260086
12    msk F7 00 00 00 00 00 00 00 00 80 FF 80 00 C0 00 00 FF FF
104   1   96 00 00 00 00 00 00 00 00 80 06 00 00 80 00 00 00 B3             00260086
12    msk F7 00 00 00 00 00 00 00 00 80 FF 80 00 C0 00 00 FF FF
106   43  96 00 00 00 00 00 00 00 00 80 06 00 00 40 00 00 02 08             00260086
IP default entry
202   msk F 0 1 0 0 1 00 FF 0 00 0 0 0000 00000000 0000 00000000 0000
1620  146 9 0 1 0 0 1 00 06 0 00 0 0 0000 00000000 0000 00000000 0000 00002082
non-IP default entry
203   msk F 0 1 0 0 1 00 FF 0 00 0 0 0000 000000000000  000000000000
1621  156 9 0 0 0 0 1 00 06 0 00 0 0 0000 000000000000  000000000000  00000082

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100420/10976060/attachment.bin>

More information about the cisco-nsp mailing list