VxBlock: Guidelines for TCAM Usage with Cisco Nexus Switch

Facts:

• Cisco Nexus 9000
• TCAM

Information: 

TCAM Usage issue:
Example: A customer wants to create MAC PACLs to support the HSRP isolation. When they attempt to assign TCAM space to the mac-ifacl region, they receive the below error: 

# hardware access-list tcam region mac-ifacl 256
ERROR: Aggregate TCAM region configuration exceeded the available Ingress TCAM slices. Please re-configure.

Current Default TCAM utilization of customer:

# sh sys int acce globals | egrep -i '[0-9]+ +[0-9]+ +[1-9][0-9]+|--' 
---------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------- 
---------------------------------------------------------------------------------------------                              IPV4 PACL [ifacl](   1)       3        0      512        1                            IPV4 Port QoS [qos](   4)       6     3072      256        2                               IPV4 VACL [vacl](  13)      15      512      512        1                               IPV4 RACL [racl](  19)      21     1024      512        1                                 Ingress System(  37)       1     2048      256        2                                    SPAN [span](  39)       2     3584      256        1                            Ingress COPP [copp](  40)      40     2560      256        2                            Redirect [redirect](  44)      46     1536      512        1 
VPC Convergence/ES-Multi Home [vpc-convergence]( 54)      57     4096      256        1

Recommendation 1: 
The mac-ifacl feature that is required is a double-sized block. This requires two slices of either 256 or 512 bytes.

From the current configuration, notice that we are not using IPv4 Port QoS [qos]. We can take that double size feature and assign it to mac-ifacl with two commands:

# hardware access-list tcam region qos 0
WARNING: On module 1, 4 entries are in use in the region IPV4 Port QoS [qos] on instance 0, but carving size is 0 [0*2].
Warning: Please save config and reload the system for the configuration to take effect

 

# hardware access-list tcam region mac-ifacl 256
Warning: Please save config and reload the system for the configuration to take effect

After the reload:

9396-a# sh sys int acce globals | egrep -i '[0-9]+ +[0-9]+ +[1-9][0-9]+|--'

                             IPV4 PACL [ifacl](   1)       3        0      512
      1
                          MAC PACL [mac-ifacl](   3)       5     3072      256
      2
                              IPV4 VACL [vacl](  13)      15      512      512
      1
                              IPV4 RACL [racl](  19)      21     1024      512
      1
                                Ingress System(  37)       1     2048      256
      2
                                   SPAN [span](  39)       2     3584      256
      1
                           Ingress COPP [copp](  40)      40     2560      256
      2
                           Redirect [redirect](  44)      46     1536      512
      1
VPC Convergence/ES-Multi Home [vpc-convergence]( 54)      57     4096      256

Both features are configured. Follow this template to achieve the goal.

 

Recommendation 2:
Take the two 512 slices from RACL and assign that space to mac-ifacl. This gives us an available 256 slice so we can assign that available slice to any other single-width feature.
 

Recommendation 3:
Another possibility is to set SPAN to 0. This leaves us with two 256-bytes slices that we can allocate to the double-width feature mac-ifacl.