Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

mls acl tcam share-global

HI,

Any idea on this command

mls acl tcam share-global

what does share-global means. Is it means sharing of tcam memory among all line cards or something else.

Regards

Mahesh

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: mls acl tcam share-global

Hello Mahesh,

"mls acl tcam share-global" command enables the static sharing feature. With static sharing, only one copy of the PACL/ACL and inherited VLAN-based feature ACLs is stored in the TCAM for all ports using the same ACL set, freeing TCAM space for more ACLs. Please be clear that it's just the global default ACL's would be shared and not the banks. The bank that gets chosen and the features that can share the same bank depends on the feature configuration.

If TCAM ran out of Hardware spaces for ACL's , any new ACL will be processed by the CPU causing it to go high .

For Eg:

The Sup720-3BXL has the two TCAM banks in Parallel so features generally use only one of these banks at a time. Two banks are provided to handle multiple features per interface at a time. Consider that you have configured a RACL which is a single feature set it uses one bank ( Bank0) and consequently when it is exhausted (reaching 50 % of total capacity) it throws an error.

The workaround for this issue could be adding "mls acl tcam share-global" command which will act upon GLOBAL DEFAULT ACL's (deny any any) in TCAM between Bank0 and Bank1 leaving space for newly added ACL's in your setup. When no form of the command enabled, a unique deny any ACE will be used per ACL if the user configures an explicit deny any terminating an ACL; else, we will just use a single entry for all ACLs (saving TCAM space but losing per-ACL deny any counters).

The TCAM's are in PFC of the supervisor engine and not in Linecards.(DFC Linecards download these info from PFC.)

Please see this link for a bit more of an explanation around the Banks and their usage:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml#wp43140

Thanks,

Richard

*Rate useful posts

Message was edited by: Richard Michael

7 REPLIES

mls acl tcam share-global

mls acl tcam share-global

Sorry Alex,

It does not answer my query.

Regards

Mahesh

Cisco Employee

Re: mls acl tcam share-global

Hello Mahesh,

"mls acl tcam share-global" command enables the static sharing feature. With static sharing, only one copy of the PACL/ACL and inherited VLAN-based feature ACLs is stored in the TCAM for all ports using the same ACL set, freeing TCAM space for more ACLs. Please be clear that it's just the global default ACL's would be shared and not the banks. The bank that gets chosen and the features that can share the same bank depends on the feature configuration.

If TCAM ran out of Hardware spaces for ACL's , any new ACL will be processed by the CPU causing it to go high .

For Eg:

The Sup720-3BXL has the two TCAM banks in Parallel so features generally use only one of these banks at a time. Two banks are provided to handle multiple features per interface at a time. Consider that you have configured a RACL which is a single feature set it uses one bank ( Bank0) and consequently when it is exhausted (reaching 50 % of total capacity) it throws an error.

The workaround for this issue could be adding "mls acl tcam share-global" command which will act upon GLOBAL DEFAULT ACL's (deny any any) in TCAM between Bank0 and Bank1 leaving space for newly added ACL's in your setup. When no form of the command enabled, a unique deny any ACE will be used per ACL if the user configures an explicit deny any terminating an ACL; else, we will just use a single entry for all ACLs (saving TCAM space but losing per-ACL deny any counters).

The TCAM's are in PFC of the supervisor engine and not in Linecards.(DFC Linecards download these info from PFC.)

Please see this link for a bit more of an explanation around the Banks and their usage:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml#wp43140

Thanks,

Richard

*Rate useful posts

Message was edited by: Richard Michael

mls acl tcam share-global

Hi Richard,

Because the link is not opening. I assume you mean the following document:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml#wp43140

Best regards,

Alex

Cisco Employee

mls acl tcam share-global

That's right alex.

Thanks,

Richard

mls acl tcam share-global

Hi Richard,

Just to summarize.

We have identical copy of ACL of both the banks for parallel lookup. By combining both we may have single copy among both this bank and so we have double the memory and we can avoid log message of TCAM resource exhausted.

Is there any drawback of this command because i am thinking to use this command on around 350+  7600 routers (they are with SUP-720-3CXL).

Regards

Mahesh

Cisco Employee

mls acl tcam share-global

Hello Mahesh,

Enabling this command shouldn't cause any issue in the network. Its worth to be issued when you have a huge sets of ACL/RACL/PACL/PBR in your setup. The TCAM banks can be managed in a much effective way. I guess you have got a huge project to work on

Thanks,

Richard.

6401
Views
10
Helpful
7
Replies
CreatePlease to create content