BugZero | Cisco BugID CSCut18665 - N9K - Default TCAM allocation for CoPP

Cisco - Defect ID: CSCut18665

N9K - Default TCAM allocation for CoPP

Cisco - Defect ID: CSCut18665

N9K - Default TCAM allocation for CoPP

Last updated on 9/9/2019

Overall: 3.13.1

Severity: 3.73.7

Lifecycle: 44.0

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 3.13.1

Severity: 3.73.7

Lifecycle: 44.0

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Attempting to make modifications to the default CoPP policy on a Nexus 9300 or 9500 it errors out with the following: Nexus9K-1(config)# control-plane Nexus9K-1(config-cp)# service-policy input CUSTOM-copp-policy-strict This operation can cause disruption of control traffic. Proceed (y/n)? [no] y ERROR: Sufficient free entries are not available in TCAM bank 2015 Feb 28 12:23:25 Nexus9K-1 %$ VDC-1 %$ %ACLQOS-SLOT1-2-ACLQOS_OOTR: Tcam resource exhausted: (null)

Conditions

Attempting to make modifications to the default CoPP policy on a Nexus 9300 or 9500

Workaround

Gauge what other TCAM region on your system has a low percentage utilized via the following CLI: Nexus9K-1# show hardware access-list resource utilization Once this is determined you will need to reduce the allocated size to this/these bank(s) and increase the allocated size to the CoPP region via the following CLI: Nexus9K-1(config)# hardware access-list tcam region [region_id] [size] Nexus9K-1(config)# hardware access-list tcam region copp [size] Note: Following the above changes a reload must be performed for the new TCAM carving to occur.

Further Problem Description

This is due to the default TCAM region allocation for CoPP being 95% utilized with the default policy applied. This does not allow for much room to customize the policy: N9396-1# sh hardware access-list resource utilization | i Used|Free|Percent|Utilization|-|COPP ------------- ACL Hardware Resource Utilization (Mod 1) ---------------------------------------------------------- Used Free Percent Utilization ------------------------------------------------------------------- SUP COPP 244 12 95.31 For more information on the TCAM region limitations on the Nexus 9000 series platform please review the following section of the configuration guide: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/qos/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Quality_of_Service_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Quality_of_Service_Configuration_Guide_7x_chapter_0100.html

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCut18665

N9K - Default TCAM allocation for CoPP

Cisco - Defect ID: CSCut18665

N9K - Default TCAM allocation for CoPP

Last updated on 9/9/2019

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?