Cisco Nexus 6000 Series NX-OS Security Configuration Guide, Release 6.x
Configuring TCAM Carving
Downloads: This chapterpdf (PDF - 1.18MB) The complete bookPDF (PDF - 4.19MB) | The complete bookePub (ePub - 672.0KB) | Feedback

Configuring TCAM Carving

Configuring TCAM Carving

This chapter contains the following sections:

Information About TCAM Carving

The Ternary Content-Addressable Memory (TCAM) carving feature uses a template-based approach that enables you to modify the default region sizes of the TCAM. When the switch boots up, you see this default template, unless you have configured any other template. This table lists the types and sizes of various regions in a template.

Table 1 Predefined Built-In Default Template
Region Size (Entries) Size (Blocks) Features

Vacl

1024

16

Ingress VLAN access control list (VACL), egress VACL

Ifacl

1152

18

Ingress interface ACL, ingress Layer 3 physical port/subinterface RACL, egress RACL for all ports, default Control Plane Policing (CoPP)

Qos

448

7

Ingress vlan-qos, ingress system-qos, ingress interface-qos

Rbacl

1152

18

Ingress Layer 3 switch virtual interface, ingress Layer 3 port channel/port channel subinterface router access control list (RACL), egress Cisco Trusted Security (CTS)

Span

64

1

Span

Sup

256

4

Sup-rdt

Total

4096

64

 

Information About User-Defined Templates

In addition to the default template, you can create a maximum of 16 templates (which means that you can have 17 templates at one time). You can specify whatever sizes of ternary content addressable memory (TCAM) regions you want.

You can apply the following operations on each template:

  • Create
  • Modify
  • Delete
  • Commit

Each template can be in one of the following states:

  • Saved
  • Committed

Create

When you create a template, the size of the TCAM regions are initialized to the default values. When a template is created, the template is in the saved state by default. Once you create a template, you can modify it to change the size of any TCAM region. You should configure the size of the region in multiples of 64 because the size of each TCAM block is 64 entries. If you enter a value that is not a multiple of 64, an error message asks you to enter the value again.

Modify

You can modify any saved template to change the size of any TCAM region but you cannot modify the size of any region in the TCAM to 0. During the modification, the software checks that the size that you entered is on a 64 boundary. When you modify a template, the combined size of all the TCAM regions might have fewer than 4096 entries. During a modification, the software does not check that you have fewer than 4096 entries.

You can modify a template only when it is in the saved state. After a template is committed, you cannot modify it.

A user-defined committed template can be changed to the created state by servicing another user-defined template or default template.

To service another user-defined template, enter the following command:

hardware profile tcam resource service-template user-defined-template

To service a default template, enter the following command:

no hardware profile tcam resource service-template currently-committed- template

Delete

You can delete any saved template. After you delete a template, all information about the template is lost. A committed template cannot be deleted.

A user-defined committed template can be changed to the created state by servicing another user-defined template or default template.

To service another user-defined template, enter the following command:

hardware profile tcam resource service-template user-defined-template

To service a default template, enter the following command:

no hardware profile tcam resource service-template currently-committed- template

Commit

You can commit any of your user-defined templates or the default template that is provided by the software. To commit a template, enter the commit command and perform a reboot of the switch. When you enter the commit command, the software validates the template. If the validation is successful, the software prompts you to reboot the switch. The template (user defined or default) is applied after the reboot. If you did not choose to reboot, no changes are made to the TCAM regions and no template is committed.

After you commit a template, the system does not automatically reboot but a message is displayed in the commit command output asking you to reboot the switch for the committed template to take effect. After you agree to reboot, the following occurs:

  • The committed template is saved in the startup configuration.
  • The switch is rebooted.
  • The committed template is used by the software.
  • The template goes to the running state.

After the switch reboots, the committed template is applied to all ASICs on the Cisco Nexus device. You cannot commit different templates to different ASICs on the Cisco Nexus device. All saved templates and committed templates along with the size of each region of each template are displayed in the running configuration.

When a template is committed, the software checks the following:

  1. The combined size of all regions in the TCAM is 4096 entries.
  2. The size of each region fits within the TCAM. At any point of time, there is always a running size for the TCAM region. This running size (the current size in the hardware TCAM) is defined by either the default or a user-defined template that was committed and is currently being used as the running template. If you increase the size of a region in a template that is currently being committed, from the current running size, the software checks if there are enough free entries outside the current region (entries that are not allocated to any other region) that can be used to increase the size of the region. If you decrease the size of a region in a template that is currently being committed from the current running size, the software checks to determine if there are enough free entries within the region that can be freed up to reduce the size of the TCAM region. All changes that reduce the sizes of the regions within the template are done before the changes to increase the sizes of regions within the template.
  3. You cannot change the sup-region size to be smaller than 256 entries because the software must have 256 entries to support all features in the sup-region.
  4. The hardware does not support more than 256 entries in the sup-region and span regions. This check is done during validation.

If all these checks pass, you can commit he template and you are prompted to apply the template by rebooting.

If these checks fail, the commit fails and the template goes back to the saved state. If the commit fails, the commit command output displays the reasons that it failed.

You cannot modify or delete the default template. You can only move this template from saved to committed or committed to saved. If the default template is committed, it is not displayed in the running configuration. To apply the default template, enter the no commit command using the currently running template. Entering this command executes the same validation checks that were performed when you committed the template. If all validations succeed, the software prompts you to reboot the switch. If you agree to reboot, the template is saved in the startup configuration and the system is rebooted. After the reboot, the default template is applied. The startup configuration has the committed template that you committed before rebooting. After rebooting, the template in the startup configuration is used. If there is no committed template in the startup configuration, the default template is used.

You create and manage the TCAM carving templates by entering the template manager commands. The template-based TCAM carving CLI is supported in config-sync. Only template creation is supported inside config-sync. Template commit should be performed separately on each switch outside the config-sync context.

Creating a User-Defined Template

Procedure
      Command or Action Purpose
    Step 1 switch# configure terminal 

    Enters global configuration mode.

     
    Step 2 switch(config)# hardware profile tcam resource template template-name 

    Creates a new template with the default region sizes. A maximum of 16 templates (plus the default) can be created. The template-name argument can be a maximum of 64 characters.

     

    This example shows how to create a user-defined template named qos-template:

    switch# configure terminal
    switch(config)# hardware profile tcam resource template qos-template

    Modifying a User Defined Template

    Procedure
        Command or Action Purpose
      Step 1 switch# configure terminal 

      Enters global configuration mode.

       
      Step 2 switch(config)# hardware profile tcam resource template template-name 

      Creates a new template with the default region sizes. A maximum of 16 templates (plus the default) can be created. Use this command to enter template mode.

       
      Step 3 switch(config-tmpl)# {vacl vacl-region | ifacl ifacl-region | qos qos-region | rbacl rbacl-region | span span-region} 

      Sets the region block size.

      • vacl-region—The block size of the region can be 64 to 3584.
      • ifacl-region—The block size of the region can be 320 to 3584.
      • qos-region—The block size of the region can be 64 to 3584.
      • rbacl-region—The block size of the region can be 64 to 3584.
      • span-region—The block size of the region can be 64 to 256.
      Note   

      You cannot set the size of a region to zero. The block size must be a multiple of 64.

       

      This example shows how to modify a user-defined qos template.

      switch# configure terminal
      switch(config)# hardware profile tcam resource template qos-template
      switch(config-tmpl) qos 64

      Committing a User-Defined Template

      You can commit a user-defined template.

      Procedure
          Command or Action Purpose
        Step 1 switch# configure terminal 

        Enters global configuration mode.

         
        Step 2 switch(config)# hardware profile tcam resource service-template template-name  

        Commits a previously defined template in the running image.

         
        Step 3 switch(config)# copy running-config startup-config 

        Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

         

        This example show how to commit a user-defined template:

        switch# configure terminal
        switch(config)# hardware profile tcam resource service-template qos-template
        Details of qos-template:
        Region     	Features     Size-allocated    Current-usage	Available/free
        ----------------------------------------------------------------------------
        vacl       	vacl	   											1024		   						1024													0  
        												svi racl	
        ifacl      	pacl 	   										2048		   						1024													1024	
        												l3 racl
        												interface qos
        qos        	vlan qos	    							256		    						256			          0
                   	system qos
        rbacl      	cts                  64		           32		           32 	
        span       	interface span      512	           512             0 
                   	vlan span
        sup        	sup rdt		           192	           192             0    
                   	copp
        switch(config)# copy running-config startup-config
        
        
        What to Do Next

        Reboot the system.

        Deleting a Template

        After creating a template, the template can be deleted. Deleting removes all the information about the template from the software.

        Procedure
            Command or Action Purpose
          Step 1 switch# configure terminal 

          Enters global configuration mode.

           
          Step 2 switch(config)# no hardware profile tcam resource template template-name 

          Deletes a user-defined template.

          Only saved templates can be deleted. Templates that are committed/running cannot be deleted. A template that is in the running configuration (same as the startup configuration) cannot be deleted. Any other user-defined template that is in a saved state can be deleted. The default template cannot be deleted.

           

          This example shows how to delete a template:

          switch# configure terminal
          switch(config)# no hardware profile tcam resource template qos-template

          Verifying the TCAM Carving Configuration

          To display TCAM carving configuration information, enter one of the following commands:

          Command Purpose

          show hardware profile tcam resource template

          Displays all templates.

          show hardware profile tcam resource template template-name

          Displays a user-defined template.

          show hardware profile tcam resource template default

          Displays a default template.