[c-nsp] ACL TCAM LOU exhaustion on 7600 running 15.1 code

John Neiberger jneiberger at gmail.com
Mon May 5 12:49:49 EDT 2014


We had an interesting issue arise on Friday and I'm still wrestling with
it. The short story is that we have a 7600 with a lot of ACLs on it, some
of which are very long and most ACEs are port specific. This uses up a lot
of ACL TCAM LOUs, or logical objects. I didn't discover that until later,
though.

An ACL was updated on this 7600. Four lines were added. That ACL is applied
to a single interface. It appears that after those lines were added,
traffic that is NOT traversing that interface was affected. The symptoms
were intermittent connectivity in some cases. When we removed the ACL, the
traffic in question apparently began functioning. When we added the ACL
back to the interface, the traffic began to break again. Remember, this ACL
is NOT in the transit path for the traffic in question.

My first thought was TCAM. I checked "show platform hardware capacity acl"
and saw that LOUdst was at 100% with the ACL applied, but it was at 81%
with the ACL removed.

I've heard that if TCAM is overloaded, some ACLs will be processed by the
CPU, which clearly could cause problems. However, I did not see any rise in
CPU usage during this period.

Also, if we just remove the four new lines that were added, the LOUdst
value is still at 100%. I remain unconvinced that this was actually the
root cause for the issue.

Do any of you have any experience with this? What would be the expected
outcome of running out of LOU space in the ACL TCAM?

Thanks,
John


More information about the cisco-nsp mailing list