Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traffic not leaving vlan

Hi,

i configured a vlan for on a 3750 switch, when i try to access on of that vlan servers i don't get any response, i did a capture on that vlan interface and found that my pc sends the syn and te server recives it and it sends the syn,ack back but this sync,ack get dropped on the vlan int and my pc doesn't recive that syn,ack message, by the way there is no l2 or l3 ACL filtering the traffic. in the log i see following error messages:

13:43:17 CST: %ACLMGR-4-RELOADED: Reloading ACL output label 5 VLAN interfaces 2994 IPv4/Mac feature

13:44:20 CST: %ACLMGR-4-UNLOADING: Unloading ACL output label 5 VLAN interfaces 2994 IPv4/Mac feature

13:44:20 CST: %ACLMGR-4-ACLTCAMFULL: ACL TCAM Full. Software Forwarding packets on Output label 5 on L3 L2

any idea about what is causing the problem ?

Thanks

4 ACCEPTED SOLUTIONS

Accepted Solutions

Traffic not leaving vlan

Sahir,

Can you post the results of 'show sdm prefer'?

What specific model is this 3750 and what IOS is it currently running?

Re: Traffic not leaving vlan

Sahir,

Sounds like you may need to chang your SDM template.

Catalyst 3750 SDM Desktop Template
ResourceDefaultRoutingVLAN
Unicast MAC address6K3K12K
IGMP groups and Multicast routes1K1K1K
Unicast routes8K11K0
  • Directly connected hosts
6K3K0
  • Indirect routes
2K8K0
PBR ACEs05120
QoS ACEs512512512
Security ACEs1K1K1K
VLANs1K1K1K

13:44:20 CST: %ACLMGR-4-ACLTCAMFULL: ACL TCAM Full. <---

Can you post the results of 'show platform acl label 5' ? and 'show platform tcam utilization' ?

Re: Traffic not leaving vlan

Can you post the following command?

'show platform tcam utilization'

But it looks like you will need to change your SDM template.

Re: Traffic not leaving vlan

Sahir,

Here is your problem.

 

IPv4 security aces:                          1024/1024        992/992

Your current SDM profile does not allow for any more ACEs.

From what I understand, I don't think you can go any higher earlier on the 3750s than 1k.

You could try cleaning up some entries.

Here is a good link for you.

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/44921-swdatabase-3750ss-44921.html

11 REPLIES

Traffic not leaving vlan

Sahir,

Can you post the results of 'show sdm prefer'?

What specific model is this 3750 and what IOS is it currently running?

New Member

Traffic not leaving vlan

John,

the device is cisco WS-C3750G-48TS

show sdm prefer

The current template is "desktop routing" template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K

  number of IPv4 IGMP groups + multicast routes:    1K

  number of IPv4 unicast routes:                    11K

    number of directly-connected IPv4 hosts:        3K

    number of indirect IPv4 routes:                 8K

  number of IPv4 policy based routing aces:         0.5K

  number of IPv4/MAC qos aces:                      0.5K

  number of IPv4/MAC security aces:                 1K

Re: Traffic not leaving vlan

Sahir,

Sounds like you may need to chang your SDM template.

Catalyst 3750 SDM Desktop Template
ResourceDefaultRoutingVLAN
Unicast MAC address6K3K12K
IGMP groups and Multicast routes1K1K1K
Unicast routes8K11K0
  • Directly connected hosts
6K3K0
  • Indirect routes
2K8K0
PBR ACEs05120
QoS ACEs512512512
Security ACEs1K1K1K
VLANs1K1K1K

13:44:20 CST: %ACLMGR-4-ACLTCAMFULL: ACL TCAM Full. <---

Can you post the results of 'show platform acl label 5' ? and 'show platform tcam utilization' ?

New Member

Traffic not leaving vlan

here you go:

show platform acl label 5

IPv4/MAC ACL label

------------------

Unloaded due to lack of space:

  OutputIPVlanMap

Input Op Select Index 4:

Output Op Select Index 0:

Input Features:

  Interfaces or VLANs:  Vl2998

  Vlan Map: S-Private, 242 VMRs.

  Access Group: (none), 0 VMRs.

  Multicast Boundary: (none), 0 VMRs.

uRPF : (none), 0 VMRs.

Output Features:

  Interfaces or VLANs:  Vl2994

  Bridge Group Member: no

  Vlan Map: IS-Private, 183 VMRs.

  Access Group: (none), 0 VMRs.

IPv6 ACL label

--------------

Input Op Select Index 4:

Output Op Select Index 0:

Input Features:

  Interfaces or VLANs:  Vl2998

  Traffic Filter: (none), 0 VMRs.

uRPF ACL:

  uRPF ACL : (none), 0 VMRs.

Output Features:

  Interfaces or VLANs:  Vl2994

  Traffic Filter: (none), 0 VMRs.

Re: Traffic not leaving vlan

Can you post the following command?

'show platform tcam utilization'

But it looks like you will need to change your SDM template.

New Member

Traffic not leaving vlan

show platform tcam utilization

CAM Utilization for ASIC# 0                      Max            Used

                                             Masks/Values    Masks/values

Unicast mac addresses:                        400/3200         27/129

IPv4 IGMP groups + multicast routes:          152/1216          7/27

IPv4 unicast directly-connected routes:       400/3200         27/129

IPv4 unicast indirectly-connected routes:    1040/8320        383/2967

IPv4 policy based routing aces:               384/512          20/36

IPv4 qos aces:                                768/768         324/324

IPv4 security aces:                          1024/1024        992/992

Note: Allocation of TCAM entries per feature uses

a complex algorithm. The above information is meant

to provide an abstract view of the current TCAM utilization

Re: Traffic not leaving vlan

Sahir,

Here is your problem.

 

IPv4 security aces:                          1024/1024        992/992

Your current SDM profile does not allow for any more ACEs.

From what I understand, I don't think you can go any higher earlier on the 3750s than 1k.

You could try cleaning up some entries.

Here is a good link for you.

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/44921-swdatabase-3750ss-44921.html

New Member

Traffic not leaving vlan

John,

I think you are right, SDM profile is the issue, i will clear some of the entries and see if that will help.

i appreciate your help.

Thanks a lot.

Sahir

New Member

Traffic not leaving vlan

John,

for unicast routes in the table, for example 8k that is divided int 6k and 2k for both directly connected hosts and indirect routes, is the 8k shared value or is it restriced for each of the resources, for example if the indirect routes exeeds 2k will it use any of the other 6k resources ?

Catalyst 3750 SDM Desktop Template
ResourceDefaultRoutingVLAN
Unicast MAC address6K3K12K
IGMP groups and Multicast routes1K1K1K
Unicast routes8K11K0
  • Directly connected hosts
6K3K0
  • Indirect routes
2K8K0
PBR ACEs05120
QoS ACEs512512512
Security ACEs1K1K1K
VLANs1K1K1K
New Member

Traffic not leaving vlan

Is this issue resolved ?

New Member

Traffic not leaving vlan

yes since it needs sdm template to be changed, but my last question is about the

unicast routes cuz i have more than 2k of Indirect routes and if i change the sdm template to access i will drop from 8k for indirect routes to 2k which will leads to another routing issue unless if the unicast routes are shared resources which will fix everything.

221
Views
0
Helpful
11
Replies