[c-nsp] ACL TCAM LOU exhaustion on 7600 running 15.1 code

Mack McBride mack.mcbride at viawest.com
Mon May 5 19:25:41 EDT 2014


When LOUs are exhausted some ACLs with LOUs will get processed as if the port specific portion did not exist.
This can cause all kinds of weirdness.  Often it requires a router reboot to fully correct TCAM and LOU overflows.
The solution is to pick a minimum set of port ranges that works for your configuration and don't use other port
ranges.  As Saku Ytti stated it is more than the range command.
Specifically lt, gt, neq, range, established

One other note is that the acl compiler will attempt to expand acls for range commands provided there aren't
too many ports in the range.  This can cause TCAM exhaustion rather than LOU exhaustion.

The following document applies to all sup720 and rsp720 variants:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml#wp43500

Mack McBride | Network Architect | ViaWest, Inc.
O: 720.891.2502 | mack.mcbride at viawest.com | www.viawest.com | LinkedIn | Twitter | YouTube



-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Neiberger
Sent: Monday, May 05, 2014 10:50 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACL TCAM LOU exhaustion on 7600 running 15.1 code

We had an interesting issue arise on Friday and I'm still wrestling with it. The short story is that we have a 7600 with a lot of ACLs on it, some of which are very long and most ACEs are port specific. This uses up a lot of ACL TCAM LOUs, or logical objects. I didn't discover that until later, though.

An ACL was updated on this 7600. Four lines were added. That ACL is applied to a single interface. It appears that after those lines were added, traffic that is NOT traversing that interface was affected. The symptoms were intermittent connectivity in some cases. When we removed the ACL, the traffic in question apparently began functioning. When we added the ACL back to the interface, the traffic began to break again. Remember, this ACL is NOT in the transit path for the traffic in question.

My first thought was TCAM. I checked "show platform hardware capacity acl"
and saw that LOUdst was at 100% with the ACL applied, but it was at 81% with the ACL removed.

I've heard that if TCAM is overloaded, some ACLs will be processed by the CPU, which clearly could cause problems. However, I did not see any rise in CPU usage during this period.

Also, if we just remove the four new lines that were added, the LOUdst value is still at 100%. I remain unconvinced that this was actually the root cause for the issue.

Do any of you have any experience with this? What would be the expected outcome of running out of LOU space in the ACL TCAM?

Thanks,
John
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list