Understanding mls acl tcam share-global Command

Document

Tue, 07/31/2012 - 03:16
Jul 31st, 2012
Table of Contents 

Introduction

The mls acl tcam share-global command enables the static sharing feature. With static sharing, only one copy of the PACL/ACL and inherited VLAN-based feature ACLs is stored in the TCAM for all ports using the same ACL set, freeing TCAM space for more ACLs. Note that by using this command only global default ACL's would be shared and not the banks.The bank that gets chosen and the features that can share the same bank depends on the feature configuration. If TCAM ran out of Hardware spaces for ACL's , any new ACL will be processed by the CPU causing it to go high .

Example

For example the Sup720-3BXL has the two TCAM banks in Parallel so features generally use only one of these banks at a time. Two banks are provided to handle multiple features per interface at a time. Consider that you have configured a RACL which is a single feature set it uses one bank

( Bank0) and consequently when it is exhausted (reaching 50 % of total capacity) it throws an error.   The workaround for this issue could be adding mls acl tcam share-global command which will act upon GLOBAL DEFAULT ACL's (deny any any) in TCAM between Bank0 and Bank1 leaving space for newly added ACL's in your setup. When no form of the command enabled, a unique deny any ACE will be used per ACL if the user configures an explicit deny any terminating an ACL; else, we will just use a single entry for all ACLs (saving TCAM space but losing per-ACL deny any counters).   The TCAM's are in PFC of the supervisor engine and not in Linecards.(DFC Linecards download these info from PFC.)

For command reference refer mls acl tcam share-global

Source: https://supportforums.cisco.com/thread/2112863

References

Supervisor 720 Dual-Bank Security ACL TCAM Architecture


Loading.

Actions

This Document

Related Content