[j-nsp] Cannot program filter pfe-cos-cl-631-5-1 (type VFP_IL2L3_COS) -TCAM has 0 free entries

Saku Ytti saku at ytti.fi
Fri Oct 21 10:30:51 EDT 2022


On Fri, 21 Oct 2022 at 16:39, Chuck Anderson <cra at fea.st> wrote:

> Also, it appears that when Junos was changed to support DHCP Snooping,
> Dynamic ARP Inspection, and IP Source Guard on trunk ports, even
> though trunk ports are in "trusted" mode by default, the switch is
> learning bindings on the trusted trunk ports (i.e. the uplink) and
> then *programming them into TCAM* at least for IPSG.  If this is true,
> then Junos has created a situation where one cannot deploy IPSG
> effectively unless the switch can scale to the number of entries
> needed for an entire *VLAN* which may have thousands of hosts, rather
> than just the access ports on a single switch stack which would
> normally have only hundreds of hosts or less.

Thank you for the update, and it sounds plausible to me. Features that
cause ingress TCAM consumption can quickly kill EX/QFX scale. It will
be very challenging to run most of the EX/QFX devices in L3 role, due
to the very modest TCAM. At least if there is any care at all in lo0
and edge filters.

-- 
  ++ytti


More information about the juniper-nsp mailing list