[j-nsp] EX switches and TCAM utilisation

Richard A Steenbergen ras at e-gerbil.net
Wed May 18 13:42:22 EDT 2011 

On Wed, May 18, 2011 at 05:10:54PM +0100, William J Hulley wrote:
> Hi,
> 
> I'm using some EX3200s running 10.0S6.1 and developing a configuration 
> using filter based forwarding to policy route traffic between routing 
> instances.
> 
> It's all working fine in the lab but I'm concerned about the potential 
> growth of the firewall policy and utilisation of the TCAM in 
> production and would obviously like to model the usage and monitor it.
> 
> Are there any known supported/un-supported ways of getting useful 
> stats out of the box beyond just relying on syslog messages saying 
> there isn't enough cam?

Drop into the fpc shell from root, like so:

RE:0% vty fpc0

BSD platform (MPC 8544 processor, 48MB memory, 0KB flash)

PFEM0(vty)# 


Next you need to find the vendor ID for the platform, like so:

PFEM0(vty)# show tcam vendor    
Vendor = internal_ch3_tcam Vendor_id = 1

For EX8200 it's vendor id 6, for EX3200 it seems to be vendor id 1.

Then you need to find the instance ID for the hardware you're looking 
for. On EX8200 I know instance 2 is used for GE cards, instance 4 is 
used for XE cards. On EX3200 there only seems to be instance 2 (as 
you'd expect):

PFEM0(vty)# show tcam vendor 1 instances    

 Vendor         Instance        Page Size
--------------------------------------------
 internal_ch3_tcam         2         4 


So then to view the usage info for this vendor/instance:

PFEM0(vty)# show tcam vendor 1 instance 2 rules    
Number of rules as Ingress PACL: 0
Number of rules as Ingress VACL: 0
Number of rules as Ingress RACL: 528
Number of rules as   Egress PCL: 135

528 Ingress RACL rules

HW-index    Page_id    Entry_id    rule_size         fw_id    Rule
--------------------------------------------------------------------------------
    6296       1574           0            2            27    AUTOFW-INVALID-PROTOCOLS.ext.0
    6298       1574           2            2            27    AUTOFW-INVALID-PROTOCOLS.ext.1
    6496       1624           0            2            27    AUTOFW-BORDER-FILTERED-PROTOCOLS.ext.0
    6498       1624           2            2            27    AUTOFW-BORDER-FILTERED-PROTOCOLS.ext.1
    6708       1677           0            2            27    AUTOFW-BORDER-LIMIT-IP-OPTIONS.ext.0
    6710       1677           2            2            27    AUTOFW-BORDER-LIMIT-IP-OPTIONS.ext.1
    6960       1740           0            2            27    AUTOFW-LIMIT-ICMP-ECHO.ext.0
...

TCAM utilization: 1326(used), 12938(free), 14264(total)

And there is your total tcam utilization above. Depending on code and 
platform it may show you a slightly different view, for example here is 
the utilization on an EX8200 running older 10.1 code:

PFEM15(vty)# show tcam vendor 6 instance 4 rules    
Instance 4
  DB 0      Ingr PACL:        0/     996 (current/max) rules. Util. 0.000%
  DB 1      Ingr VACL:        0/   12288 (current/max) rules. Util. 0.000%
  DB 2      Ingr RACL:      410/   32768 (current/max) rules. Util. 1.251%
  DB 3       Egr PACL:        0/    1024 (current/max) rules. Util. 0.000%
  DB 4       Egr PCL1:      103/    8188 (current/max) rules. Util. 1.258%

But you get the gist. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the juniper-nsp mailing list