cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3688
Views
15
Helpful
7
Replies

TCAM and ACL

nik.leckuthai
Level 1
Level 1

C7606-S#sh platform hardware acl global-config 
CM global configurations:

Update mode: hitless

Default result: deny

Match L4 protocols:
Real protocol value: 47, encoded value: 9

Reserved QoS Banks:
Current 1 banks
Latest set 1 banks
After next reload 1 banks

Rbacl is not enabled
Sgt-dgt region 45%, any-any region 5%

Hardware consistency checker is ON

TCAM expandable logic is OFF

Acl logging is DISABLED

 

Dose anybody know how to turn on TCAM expandable logic and ACL logging ? 

 

Thank you

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Nik,

The TCAM expandable logic is related to L4 operations (matching on L4 port numbers) only, and can be activated using

platform hardware acl tcam-exp-logic enable

This is mentioned at the bottom of the following document:

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/118649-technote-lou-00.html#anc6

Please beware that using this command may result into increased TCAM L4Ops utilization - therefore, you should know very well why you want to configure this command beforehand. Configuring it just because it may seem a good idea might not be a good approach.

The ACL logging referred in your original post is in fact a logging of ACL updates and is not related to a possible log keyword in ACL entries; this logging can be enabled using

platform software acl log-update rate-limit-msg { disable | enable }

with the disable and enable keywords enabling or disabling the rate-limiting of resulting syslog messages.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/commands/additional_commands/cmds2.html#pgfId-1142619

As you did not explain why you need to activate these two features, the suitability of using these two commands depends exclusively on you, including the potential risks.

Best regards,
Peter

View solution in original post

7 Replies 7

Peter Paluch
Cisco Employee
Cisco Employee

Nik,

The TCAM expandable logic is related to L4 operations (matching on L4 port numbers) only, and can be activated using

platform hardware acl tcam-exp-logic enable

This is mentioned at the bottom of the following document:

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/118649-technote-lou-00.html#anc6

Please beware that using this command may result into increased TCAM L4Ops utilization - therefore, you should know very well why you want to configure this command beforehand. Configuring it just because it may seem a good idea might not be a good approach.

The ACL logging referred in your original post is in fact a logging of ACL updates and is not related to a possible log keyword in ACL entries; this logging can be enabled using

platform software acl log-update rate-limit-msg { disable | enable }

with the disable and enable keywords enabling or disabling the rate-limiting of resulting syslog messages.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/commands/additional_commands/cmds2.html#pgfId-1142619

As you did not explain why you need to activate these two features, the suitability of using these two commands depends exclusively on you, including the potential risks.

Best regards,
Peter

Thank you Peter, also do you know a way to see matches on ACL for 7606-s. I have Sup2t card installed but I don't see matches on ACL.

 

C7606-S#sh access-lists
Extended IP access list AMP_HTTP_TRAFFIC
10 permit tcp 10.99.7.0 0.0.0.255 any eq www log
20 permit tcp any eq www 10.99.7.0 0.0.0.7 log

 

"show tcam" is an unknown command on my 7606-s

 

Thanks again

 

 

Hi Nik,

Try this:

show platform hardware acl entry interface interface_name security in ip

If you are using VSS, you will also need to add the switch and module keywords at the end of this command.

By the way, it is strongly discouraged to use the log keyword in ACL entries. This causes the traffic to be processed by CPU, risking CPU load spikes. If at all possible, do not use the log keyword with ACLs.

Best regards,
Peter

 

Thank you so much Peter.

 

Also, do you know a way to see matches on route-map ?  Traffic is being redirected but I don't see matches on the route-map.

 

C7606-S#sh route-map
route-map AMP_REDIRECT, permit, sequence 1
Match clauses:
ip address (access-lists): AMP_HTTP_TRAFFIC
Set clauses:
ip next-hop verify-availability 192.168.201.2 1 track 100 [up]
Policy routing matches: 0 packets, 0 bytes
route-map AMP_REDIRECT, permit, sequence 2
Match clauses:
ip address (access-lists): AMP_HTTP_TRAFFIC1
Set clauses:
ip next-hop verify-availability 192.168.204.100 1 track 21 [up]
Policy routing matches: 0 packets, 0 bytes
C7606-S#

Please help Peter

 

Thank you

 

Hello Nik,

I am sorry for responding late.

I am afraid that there is no way to make the show route-map output display the amounts of PBR-ed packets switched in hardware. On Catalyst switches, the counters in this output only show you the amount of software-switched packets, and these should ideally be at zero (you want all your traffic to be handled by the switching hardware, not by CPU and the IOS).

The only way known to me to verify the hit counters for PBR is again to use the command you already know:

show platform hardware acl entry interface interface-name security in ip

The entries labeled with "Redirect" in the output correspond to the individual ACL entries that are used in a PBR route-map. Consider this example configuration:

ip access-list extended pbrtest
 permit ip host 1.2.3.4 host 5.6.7.8
 permit tcp host 2.3.4.5 host 6.7.8.9 eq 4432
 permit udp host 3.4.5.6 host 7.8.9.0 eq 1234
!
route-map pbrtest permit 10
 match ip address pbrtest
 set ip next-hop 10.1.2.3
!
interface GigabitEthernet5/2
 ip address 10.1.2.1 255.255.255.0
 ip policy route-map pbrtest

The show command would then produce the following output:

Router# show platform hardware acl entry interface gi5/2 security in ip 
[ ... cut ... ]
Permit                ip any 224.0.0.0 15.255.255.255   (7 matches)
Redirect              udp host 3.4.5.6 host 7.8.9.0  fragments
Redirect              udp host 3.4.5.6 host 7.8.9.0 eq 1234  
Redirect              tcp host 2.3.4.5 host 6.7.8.9  fragments
Redirect              tcp host 2.3.4.5 host 6.7.8.9 eq 4432  
Redirect              ip host 1.2.3.4 host 5.6.7.8  
Permit                ip any any  

If there were any hits for these ACL entries that are in turn used to drive the PBR, we would see the match counters in the output (I did not have any matches here, just tested the config).

I believe that this is as good as we can get.

Best regards,
Peter

Thank you so much Peter !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco