This document provides an overview of the Switching Database Manager (SDM) on the Catalyst 3750 series Layer 3 (L3) switches, and provides some SDM configuration examples and troubleshooting tips based on common deployments. The SDM is implemented in all versions of Cisco IOS® Software for the Catalyst 3750.
There are no specific requirements for this document.
The information in this document is based on this software version:
Cisco IOS Software Release 12.1(14)EA1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
The SDM on the Catalyst 3750 series L3 switches manages the Layer 2 (L2) and L3 switching information that is maintained in the Ternary Content Addressable Memory (TCAM). The TCAM is used for forwarding lookups.
The TCAM is a specialized piece of memory designed for rapid table lookups by the access control list (ACL) engine on the Catalyst 3750 switches. The ACL engine performs ACL lookups based on packets passing through the switch. The result of the ACL engine lookup into the TCAM determines how the switch handles a packet. For example, the packet may be permitted or denied. The TCAM has a limited number of entries that are populated with mask values and pattern values. There is one mask for eight entries in the TCAM. For more information about TCAM, refer to this document:
The main issue users face when configuring ACLs on Catalyst 3750 family switches are resource contention and exhaustion. Since the Catalyst 3750 switches enforce several types of ACLs in hardware rather than in software, the switch programs hardware lookup tables and various hardware registers in the TCAM subsystem. When a packet arrives, the switch can perform a hardware table lookup and perform the appropriate action.
The Catalyst 3750 uses a TCAM subsystem that is shared between L2 and L3 forwarding entries, router access control lists (RACLs), VLAN access control lists (VACLs), and Quality of Service (QoS) ACLs. Unlike some types of Catalyst 3550 switches, the Catalyst 3750 has one TCAM subsystem.TCAM Table Structure
Layer 2 Learning—This part holds the information about the port learning policies. For example, the regular access, secure, or dynamic VLAN port has a different learning policy.
Layer 2 Forwarding—This part holds the information about learned unicast and multicast addresses.
Layer 3 Routing—This part is used for unicast and multicast route lookups.
ACL and QoS Table—This part holds the information on how to identify the traffic according to security and QoS ACLs.
Since the Catalyst 3750 can be used in numerous different applications, flexibility in TCAM subsystems resource allocation is vital. To this end, there are three predefined SDM templates that can be used to divide the TCAM to suit the use of the Catalyst 3750. The first one is the routing template which maximizes the system resources for unicast routing. The routing template would typically be used when the box is used as as a router or route aggregator in the center of the network. The VLAN template is the second one and with this template, unicast routing is disabled, allowing the maximum number of supported MAC addresses. The VLAN template would be used when the switch is being used as a purely L2 device. Finally there is the default template which is a mix between the routing and VLAN templates. This template gives a good balance between L2 and L3 capabilities. The sdm prefer route template or sdm prefer routing-pbr template commands have to be used if policy-based routing (PBR) is used on the switch. If not, then the commands used for PBR will disappear.
For each template, there are two different versions: the Desktop Template and the Aggregator template. Only Catalyst switch model 3750-12S currently supports the Aggregator template. All Catalyst 3750 switches (including the 3750-12S) support the Desktop template.
|Catalyst 3750 SDM Desktop Template|
|Unicast MAC address||6K||3K||12K|
|IGMP groups and Multicast routes||1K||1K||1K|
|Catalyst 3750 SDM Aggregator Template table (currently only supported by the 3750-12S)|
|Unicast MAC address||6K||6K||12K|
|IGMP groups and Multicast routes||1K||1K||1K|
All templates are predefined. There is no way to edit template category individual values.
The switch reload is required to use a new SDM template.
The ACL merge algorithm, as opposed to the original access control entries (ACEs) configured by the user, generate the number of TCAM entries listed for security and QoS ACEs. Refer to the Merge Algorithm section for more details.
The first eight lines (up to Security ACEs) represent approximate hardware boundaries set when a template is used. If the boundary is exceeded, all processing overflow is sent to the CPU which can have a major impact on the performance of the switch.
Choosing the VLAN template will actually disable routing (number of entry for unicast or multicast route is zero) in hardware.
When the 3750 switches are being part of a stack, there are several points that one should keep in mind in regards to the SDM templates that can be used.
When a switch is added to a stack, the SDM template on the master will override the SDM template on the new switch.
If a 3750-12S running an Aggregate Template is being added as a member of the stack with a master running a Desktop template, the 3750-12S will move to the same Desktop template which is running on the master. When doing this, there is a risk that the newly added switch will loose a part of the configuration if the number of existing TCAM entries exceeds those available on the Desktop template running on the master.
If the stack master is a 3750-12S running an Aggregate Template and the member switches are not 3750-12S switches, they will not be able to support the Aggregate Template and the member switches will move into SDM mismatch mode. To verify whether there are any switches in SDM mismatch mode, you can issue the show switch command.
The different resources within the TCAM subsystem are limited. Depending on the configuration of the network and the Catalyst 3750, these resources may be exhausted. If these resources are exhausted, one or more of the following may occur:
For Layer 2 Forwarding and Learning, a new learned address will be flooded to all ports within the ingress VLAN. This is consistent with the operation of a bridge when the forwarding table is full. The Catalyst 3750 does not have the option of a network drain port to disable learning on specific interfaces.
For Layer 3 Routing, any L3 unicast and multicast routes will be learned only in software and not programmed into the TCAM. This results in slower software-based forwarding (routing) of packets between VLANs. The Catalyst 3750 can store a considerable amount more of L3 routes in software compared to the SDM template, however it is not recommended since performance will decrease and CPU utilization will raise.
Since the Catalyst 3750 allows only one ACL lookup per ingress or egress traffic direction, security ACLs, VACLs, and RACLs need to be merged into one compiled ACL in the TCAM. The following sequence will occur:
If the RACL and a VACL is merged and compiled into the TCAM, the compiler will attempt to fit either one into the TCAM.
If the merge fails, the Catalyst 3750 attempts to fit the VACL and a simplified RACL in the TCAM which essentially sends all routed packets to the CPU for filtering there.
If the RACL fits into the TCAM, but the VACL does not, only the RACL is processed in hardware. The VACL is processed through the CPU.
If either the RACL or a VACL is being compiled into the TCAM and does not fit, the entire RACL or VACL is unloaded from hardware. All processing is done through software. If neither the RACL or VACL can individually fit into the TCAM, both are software processed.
The Cisco IOS Software on the Catalyst 3750 uses the Order Dependent Merge (ODM) algorithm. This algorithm is enabled by default and is not configurable.
To check the current SDM template, issue the show sdm prefer command.
C3750G-24T#show sdm prefer The current template is "desktop default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of igmp groups + multicast routes: 1K number of unicast routes: 8K number of directly connected hosts: 6K number of indirect routes: 2K number of policy based routing aces: 0 number of qos aces: 512 number of security aces: 1K C3750G-24T# C3750G-24T#show sdm prefer vlan "desktop vlan" template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 12K number of igmp groups: 1K number of multicast routes: 0 number of unicast routes: 0 number of policy based routing aces: 0 number of qos aces: 512 number of security aces: 1K C3750G-24T#
Note: There is no space reserved for the unicast or multicast entries.
To change the SDM template to the VLAN template:
C3750G-24T#conf t Enter configuration commands, one per line. End with CNTL/Z. C3750G-24T(config)#sdm prefer vlan Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active. C3750G-24T(config)#^Z C3750G-24T#show sdm prefer The current template is "desktop default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of igmp groups + multicast routes: 1K number of unicast routes: 8K number of directly connected hosts: 6K number of indirect routes: 2K number of policy based routing aces: 0 number of qos aces: 512 number of security aces: 1K On next reload, template will be "desktop vlan" template. C3750G-24T#
The following information can help you troubleshoot your configuration.
If the stack master is a Catalyst 3750-12S running an Aggregate Template and a new member switch which is not a 3750-12S is added to the stack, the following is seen on the master:
2d23h:%STACKMGR-6-SWITCH_ADDED_SDM:Switch 2 has been ADDED to the stack (SDM_MISMATCH) 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE:System (#2) is incompatible with the SDM 2d23h:%SDM-6-MISMATCH_ADVISE:template currently running on the stack and 2d23h:%SDM-6-MISMATCH_ADVISE:will not function unless the stack is 2d23h:%SDM-6-MISMATCH_ADVISE:downgraded. Issuing the following commands 2d23h:%SDM-6-MISMATCH_ADVISE:will downgrade the stack to use a smaller 2d23h:%SDM-6-MISMATCH_ADVISE:compatible desktop SDM template: 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE: "sdm prefer vlan desktop" 2d23h:%SDM-6-MISMATCH_ADVISE: "reload"
To check if there are any members of the stack running in SDM mismatch mode, you can issue the following command:
C3750-12S# show switch Current C3750-12S# Role Mac Address Priority State ------------------------------------------------------------ *1 Master 000a.fdfd.0100 5 Ready 2 Slave 0003.fd63.9c00 5 SDM Mismatch
If you are seeing this type of error on your master, make sure that you set the SDM Template on the Catalyst 3750-12S to Desktop.
Only the Catalyst 3750-12S supports both the Desktop and Aggregate templates. All other Catalyst 3750 series switches support the Desktop template only, which is configured by default and cannot be changed. On the other models of 3750 series switches, no option is available in the CLI for desktop and aggregate templates as in the example below.
C3750G-24T(config)#sdm prefer routing ? <cr>
On the Catalyst 3750-12S, the option to choose between the Desktop and Aggregate template is not available. Aggregate is the default and to change to Desktop issue the following commands (this example changes to Routing Desktop):
C3750-12S(config)# sdm prefer routing desktop C3750-12S(config)# end C3750-12S# reload Proceed with reload? [confirm]
The Aggregate keyword in the sdm prefer command on is not shown on the Catalyst 3750-12S switch because it runs the Aggregate template by default. If the template has been changed (for example, to the Routing Desktop template), the following commands can change it back to Routing Aggregate:
C3750-12S(config)# no sdm prefer !--- This brings the switch back to its default SDM template which is Aggregate. C3750-12S(config)# sdm prefer routing !--- This brings the switch to the Routing Aggregate template.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.