Cisco Catalyst 3550 Series Switches

Understand and Configure the Switching Database Manager on Catalyst 3550 Series Switches

Document ID: 23304

Updated: Dec 09, 2005



This document provides an overview of the Switching Database Manager (SDM) on the Catalyst 3550 series Layer 3 (L3) switches. It also provides some SDM configuration examples and troubleshooting tips based on common deployments. The SDM is implemented in all versions of Cisco IOS® Software for the Catalyst 3550.



There are no specific requirements for this document.

Components Used

The information in this document is based on Cisco IOS Software Release 12.1(9)EA1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Overview of the Switching Database Manager

The SDM in the Catalyst 3550 series L3 switches manages the Layer 2 (L2) and L3 switching information that is maintained in the Ternary Content Addressable Memory (TCAM). The TCAM is used for forwarding lookups.

The TCAM is a specialized piece of memory designed for rapid table lookups by the Access Control List (ACL) engine on the Catalyst 3550 switches. The ACL engine performs ACL lookups based on packets passing through the switch. The result of the ACL engine lookup into the TCAM determines how the switch handles a packet. For example, the packet might be permitted or denied. The TCAM has a limited number of entries that are populated with mask values and pattern values. There is one mask for eight entries in the TCAM. For more information about TCAM, refer to Understanding ACL Merge Algorithms and ACL Hardware Resources on Cisco Catalyst 6500 Switches.

The main issue users face when configuring ACLs on Catalyst 3550 family switches are resource contention and exhaustion. Since the Catalyst 3550 switches enforce several types of ACLs in hardware rather than in software, the switch programs hardware lookup tables and various hardware registers in the TCAM subsystem. When a packet arrives, the switch can perform a hardware table lookup and perform the appropriate action.


The Catalyst 3550 uses a TCAM subsystem that is shared between L2 and L3 forwarding entries, Router Access Control Lists (RACLs), VLAN Access Control Lists (VACLs), and Quality of Service (QoS) ACLs. Depending on the Catalyst 3550 switch, it has from one to three TCAM subsystems.

Table 1: TCAM Subsystems


Depending on the type of entry, only one or all TCAM subsystems have a copy of the entry. For example, all security (VACLs and RACLs) and L2 entries are stored in all TCAM subsystems on the Catalyst 3550 switch. However, QoS ACLs are only programmed into the TCAM subsystem to which the interface is attached.

Below is a diagram of how the TCAM is divided.

Figure 1: TCAM Table Structure


  • Layer 2 Learning holds the information about the port learning policies. For example, the regular access, secure, and dynamic VLAN ports each have a different learning policy.

  • Layer 2 Forwarding holds the information about learned unicast and multicast addresses.

  • Layer 3 Routing is used for unicast and multicast route lookups.

  • The ACL and QoS Tables hold the information on how to identify the traffic according to security and QoS ACLs.

Switch Database Manager Templates

Because the Catalyst 3550 can be used in many different applications, flexibility in TCAM subsystems resource allocation is vital. To this end, there are predefined SDM templates that can be used to divide the TCAM to suit the use of the Catalyst 3550. The available hardware resources differ on the different versions of the Catalyst 3550 switches. The tables below show the SDM templates, based on Cisco IOS Software Release 12.1(8) EA1; it is recommended that all Catalyst 3550 switches be upgraded to this release or a later one.

Table 2: Catalyst 3550-12G and 3550-12T SDM Templates


Table 3: Catalyst 3550-24 and 3550-48 SDM Templates



  • All templates are predefined. There is no way to edit a template.

  • A switch reload is required to use a new SDM template.

  • The ACL merge algorithm, as opposed to the original Access Control Entries (ACEs) configured by the user, generates the number of TCAM entries listed for security and QoS ACEs. Refer to the Merge Algorithms section of this document for more details.

  • The number of Switched Virtual Interfaces (SVIs)—that is, the number of routed interfaces—is the recommended number for each platform. The software does not limit the number of SVI ports, but as the number of ports increases, the available resources decrease.

  • Choosing the VLAN template disables routing. (The number of entries for unicast or multicast routes is zero.)

An SVI represents a VLAN of switch ports as one interface to the routing or bridging function in the system. Only one SVI can be associated with a VLAN; however, you need to configure an SVI for a VLAN only when you wish to route between VLANs, fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch. By default, an SVI is created for the default VLAN (VLAN 1) to permit remote switch administration. Additional SVIs must be explicitly configured. In L2 mode, SVIs provide IP host connectivity only to the system. In L3 mode, you can configure routing across SVIs.

Resource Exhaustion

The different resources within the TCAM subsystem are limited. Depending on the configuration of the network and the Catalyst 3550, these resources may be exhausted. If this happens, one or more of the following may occur:

  • For Layer 2 Forwarding and Learning, a new learned address is flooded to all ports within the ingress VLAN. This is consistent with the operation of a bridge when the forwarding table is full. The Catalyst 3550 does not have the option of a network drain port to disable learning on specific interfaces.

  • For Layer 3 Routing, any L3 unicast and multicast routes are learned only in software and not programmed into the TCAM. This results in slower software-based forwarding (routing) of packets between VLANs. The Catalyst 3550 can store considerably more L3 routes in software than the SDM template, but it is not recommended because performance decreases and CPU utilization increases.

Because the Catalyst 3550 allows only one ACL lookup each on ingress and egress, for security, ACLs, VACLs, and RACLs must be merged into one compiled ACL in the TCAM. The following sequence occurs:

  • If the RACL and a VACL are being merged and compiled into the TCAM, the compiler attempts to fit either one into the TCAM.

  • If the merge fails, the Catalyst 3550 attempts to fit the VACL and a simplified RACL in the TCAM, which essentially sends all routed packets to the CPU for filtering there.

  • If the RACL fits into the TCAM, but the VACL does not, only the RACL is processed in hardware. The VACL is processed through the CPU.

  • If either the RACL or a VACL is being compiled into the TCAM and does not fit, the entire RACL or VACL is unloaded from hardware. All processing is done through software. If neither the RACL nor VACL can individually fit into the TCAM, both are processed through software.

  • If a QoS ACL (IP ACL or MAC ACL) is being compiled into the TCAM and does not fit, the entire QoS ACL is unloaded from hardware. All processing is done through software.

Merge Algorithms

The entries in the TCAM are transformed from the order-dependent ACEs configured in the Command Line Interface (CLI) into order-independent entries that are organized to return a hit based on longest match, with the first hit returning the result.

Two different merge algorithms are available: order independent and order dependent. Cisco IOS Software releases earlier than 12.1(9)EA1 use the order-independent algorithm. Cisco IOS Software from 12.1(9)EA1 on uses the order-dependent merge (ODM) algorithm. This algorithm does not result in any significant operational differences for configurations using the old algorithm that fit into the hardware. However, many configurations that previously did not fit now fit in the hardware because of the new merge algorithm. This algorithm is enabled by default and is not configurable.

Example of the Switching Database Manager Configurations

To check the current SDM template, issue the show sdm prefer command.

3550-12T# sh sdm prefer 
 The current template is default template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 16 routed interfaces and 1K VLANs. 

 number of unicast mac addresses:   6K
 number of igmp groups:             6K
 number of qos aces:                2K
 number of security aces:           2K
 number of unicast routes:          12K
 number of multicast routes:        6K

3550-12T# sh sdm prefer vlan
 vlan template:
 The selected template optimizes the resources in
 the switch to support this level of features for
 16 routed interfaces and 1K VLANs. 

 number of unicast mac addresses:   12K
 number of igmp groups:             6K
 number of qos aces:                2K
 number of security aces:           2K
 number of unicast routes:          0  
 number of multicast routes:        0

Note: No space is reserved for the unicast or multicast entries.

3550-12T# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
3550-12T(config)# sdm prefer vlan
Changes to the running SDM preferences have been stored, but cannot take effect 
until the next reload.
Issue show sdm prefer to see what SDM preference is currently active.

Note: Use caution when issuing the sdm prefer vlan command, because any current L3 configuration data is not saved after a reload.

3550-12T# copy running-config startup-config
3550-12T# reload

The VLAN SDM template can easily be recognized by issuing the show version command and viewing the output after the reload.

3550-12T# sh ver
Running Layer2 Switching Only Image

The new SDM template is VLAN.

3550-12T# sh sdm prefer
 The current template is vlan template.

For more details on how to work with the SDM profiles, refer to Administering the Switch.


I cannot configure IP routing using an L3 image.

The following may happen if you try to configure IP routing on the Catalyst 3550 series switch:

Enter configuration commands, one per line.  End with CNTL/Z.
3550-12T(config)# ip routing
% Invalid input detected at '^' marker.

3550-12T(config)# router ospf 1
% Invalid input detected at '^' marker.

The reason for results like those shown above may be that you are using the VLAN SDM template, which allows zero unicast and multicast routing entries. In this case, choose any other SDM template and reload the switch.

%FM-3-UNLOADING: Unloading output label 1 feature

The probable reason for this is that an ACL, after being optimized by the TCAM merge algorithm, requests more resources than are available for the given template.

To determine how full a particular region in a particular TCAM subsystem is, issue the show tcam [inacl | outacl | qos] cam_number statistics command.

To identify which TCAM subsystem number is to be used, refer to Table 1.

3550-12T# sh tcam inacl 1 statistics 
Ingress ACL TCAM#1: Number of active labels: 3
Ingress ACL TCAM#1: Number of masks   allocated:   14, available:  810
Ingress ACL TCAM#1: Number of entries allocated:   17, available: 6575

To find out the VLAN label or port label being used for the configuration of the interface or VLAN, issue the show fm interface name or show fm vlan id command.

3550-12T# sh fm int gi 0/1
Input VLAN Label: 1
Output VLAN Label: 1
Priority: normal

To find out how much TCAM space is allocated to that label, issue the show tcam [inacl | outacl] cam_number [vlan-label | port-label] number command.

3550-12T# sh tcam inacl 1 vlan-labels 1
Label Value :       8193(vlan label 1)
Number of entries : 19

Note: The port-label keyword is used to determine the Port-based Access List (PACL) label. The VLAN label is used for RACL or VACL.

Workaround: If the ACL is using too much space, the following workaround exists:

  1. Optimize the access list as follows:

    • Remove any entries that are used only for logging purposes.

    • Remove any entry that could be covered by explicit deny at the end.

  2. Use an SDM template that allows more entries for the specific region.

  3. Upgrade to Cisco IOS Software Release 12.1(9)EA1 or later, which uses the more predictable ODM algorithm.

If the problem continues, please collect the output of the following commands before contacting Cisco Technical Support:

  • show tech-support

  • show sdm prefer

  • show fm {interface | vlan} name

  • show fm {vlan-label | port-label} number

  • show l2tcam

  • show l3tcam

  • show tcam {inacl | outacl | qos} {tcam number} statistics

Related Information

Updated: Dec 09, 2005
Document ID: 23304