[j-nsp] EX switches and TCAM utilisation

William J Hulley bill.hulley at gmail.com
Wed May 18 13:48:57 EDT 2011


Wonderful, thanks!

On 18 May 2011, at 18:42, Richard A Steenbergen wrote:
> On Wed, May 18, 2011 at 05:10:54PM +0100, William J Hulley wrote:
>> Hi,
>> 
>> I'm using some EX3200s running 10.0S6.1 and developing a configuration 
>> using filter based forwarding to policy route traffic between routing 
>> instances.
>> 
>> It's all working fine in the lab but I'm concerned about the potential 
>> growth of the firewall policy and utilisation of the TCAM in 
>> production and would obviously like to model the usage and monitor it.
>> 
>> Are there any known supported/un-supported ways of getting useful 
>> stats out of the box beyond just relying on syslog messages saying 
>> there isn't enough cam?
> 
> Drop into the fpc shell from root, like so:
> 
> RE:0% vty fpc0
> 
> BSD platform (MPC 8544 processor, 48MB memory, 0KB flash)
> 
> PFEM0(vty)# 
> 
> 
> Next you need to find the vendor ID for the platform, like so:
> 
> PFEM0(vty)# show tcam vendor    
> Vendor = internal_ch3_tcam Vendor_id = 1
> 
> For EX8200 it's vendor id 6, for EX3200 it seems to be vendor id 1.
> 
> Then you need to find the instance ID for the hardware you're looking 
> for. On EX8200 I know instance 2 is used for GE cards, instance 4 is 
> used for XE cards. On EX3200 there only seems to be instance 2 (as 
> you'd expect):
> 
> PFEM0(vty)# show tcam vendor 1 instances    
> 
> Vendor         Instance        Page Size
> --------------------------------------------
> internal_ch3_tcam         2         4 
> 
> 
> So then to view the usage info for this vendor/instance:
> 
> PFEM0(vty)# show tcam vendor 1 instance 2 rules    
> Number of rules as Ingress PACL: 0
> Number of rules as Ingress VACL: 0
> Number of rules as Ingress RACL: 528
> Number of rules as   Egress PCL: 135
> 
> 528 Ingress RACL rules
> 
> HW-index    Page_id    Entry_id    rule_size         fw_id    Rule
> --------------------------------------------------------------------------------
>    6296       1574           0            2            27    AUTOFW-INVALID-PROTOCOLS.ext.0
>    6298       1574           2            2            27    AUTOFW-INVALID-PROTOCOLS.ext.1
>    6496       1624           0            2            27    AUTOFW-BORDER-FILTERED-PROTOCOLS.ext.0
>    6498       1624           2            2            27    AUTOFW-BORDER-FILTERED-PROTOCOLS.ext.1
>    6708       1677           0            2            27    AUTOFW-BORDER-LIMIT-IP-OPTIONS.ext.0
>    6710       1677           2            2            27    AUTOFW-BORDER-LIMIT-IP-OPTIONS.ext.1
>    6960       1740           0            2            27    AUTOFW-LIMIT-ICMP-ECHO.ext.0
> ...
> 
> TCAM utilization: 1326(used), 12938(free), 14264(total)
> 
> And there is your total tcam utilization above. Depending on code and 
> platform it may show you a slightly different view, for example here is 
> the utilization on an EX8200 running older 10.1 code:
> 
> PFEM15(vty)# show tcam vendor 6 instance 4 rules    
> Instance 4
>  DB 0      Ingr PACL:        0/     996 (current/max) rules. Util. 0.000%
>  DB 1      Ingr VACL:        0/   12288 (current/max) rules. Util. 0.000%
>  DB 2      Ingr RACL:      410/   32768 (current/max) rules. Util. 1.251%
>  DB 3       Egr PACL:        0/    1024 (current/max) rules. Util. 0.000%
>  DB 4       Egr PCL1:      103/    8188 (current/max) rules. Util. 1.258%
> 
> But you get the gist. :)
> 
> -- 
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)




More information about the juniper-nsp mailing list