BugZero | Cisco BugID CSCuz67613 - IPv6 RACL TCAM space on Nexus 9332PQ

Cisco - Defect ID: CSCuz67613

IPv6 RACL TCAM space on Nexus 9332PQ

Cisco - Defect ID: CSCuz67613

IPv6 RACL TCAM space on Nexus 9332PQ

Last updated on April 1st, 2020

BugZero Risk Score
6.0 Medium

Overall: 6.0

Severity: 6.4

Lifecycle: 9.1

Popularity: 3.7

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 4

Description

Symptom

As per Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 7.x: To set the size of the ingress IPv6 RACL TCAM region on a Cisco Nexus 9500 Series switch, perform one of two options. Option #1 Reduce the ingress IPv4 RACL by 512 entries (1536 - 512 = 1024) and add an ingress IPv6 RACL with 512 entries—This option is preferred. switch(config)# hardware access-list tcam region racl 1024 Warning: Please reload the linecard for the configuration to take effect switch(config)# hardware access-list tcam region ipv6-racl 256 Warning: Please reload the linecard for the configuration to take effect Option #2 Remove IPv4 Layer 3 QoS by reducing its size to 0 and add an ingress IPv6 RACL—This option is available if you are not using IPv4 Layer 3 QoS. switch(config)# hardware access-list tcam region l3qos 0 Warning: Please reload the linecard for the configuration to take effect switch(config)# hardware access-list tcam region ipv6-racl 256 Warning: Please reload the linecard for the configuration to take effect ==================================================================================== My device is Nexus 9332PQ and can't use Option 1. I tried to config "Option 1" on Nexus 9500 . But got the same issue. Below is my log. 9332PQ-01# show hardware access-list tcam region TCAM Region Sizes: 99 IPV4 PACL [ifacl] size = 0 IPV6 PACL [ipv6-ifacl] size = 0 MAC PACL [mac-ifacl] size = 0 IPV4 Port QoS [qos] size = 0 IPV6 Port QoS [ipv6-qos] size = 0 MAC Port QoS [mac-qos] size = 0 FEX IPV4 PACL [fex-ifacl] size = 0 FEX IPV6 PACL [fex-ipv6-ifacl] size = 0 FEX MAC PACL [fex-mac-ifacl] size = 0 FEX IPV4 Port QoS [fex-qos] size = 0 FEX IPV6 Port QoS [fex-ipv6-qos] size = 0 FEX MAC Port QoS [fex-mac-qos] size = 0 IPV4 VACL [vacl] size = 0 IPV6 VACL [ipv6-vacl] size = 0 MAC VACL [mac-vacl] size = 0 IPV4 VLAN QoS [vqos] size = 0 IPV6 VLAN QoS [ipv6-vqos] size = 0 MAC VLAN QoS [mac-vqos] size = 0 IPV4 RACL [racl] size = 1536 IPV6 RACL [ipv6-racl] size = 0 IPV4 Port QoS Lite [qos-lite] size = 0 FEX IPV4 Port QoS Lite [fex-qos-lite] size = 0 IPV4 VLAN QoS Lite [vqos-lite] size = 0 IPV4 L3 QoS Lite [l3qos-lite] size = 0 Egress IPV4 QoS [e-qos] size = 0 Egress IPV6 QoS [e-ipv6-qos] size = 0 Egress MAC QoS [e-mac-qos] size = 0 Egress IPV4 VACL [vacl] size = 0 Egress IPV6 VACL [ipv6-vacl] size = 0 Egress MAC VACL [mac-vacl] size = 0 Egress IPV4 RACL [e-racl] size = 768 Egress IPV6 RACL [e-ipv6-racl] size = 0 Egress IPV4 QoS Lite [e-qos-lite] size = 0 IPV4 L3 QoS [l3qos] size = 256 IPV6 L3 QoS [ipv6-l3qos] size = 0 MAC L3 QoS [mac-l3qos] size = 0 Ingress System size = 256 Egress System size = 256 SPAN [span] size = 256 Ingress COPP [copp] size = 256 Ingress Flow Counters [flow] size = 0 Egress Flow Counters [e-flow] size = 0 Ingress SVI Counters [svi] size = 0 Redirect [redirect] size = 256 NS IPV4 Port QoS [ns-qos] size = 256 NS IPV6 Port QoS [ns-ipv6-qos] size = 0 NS MAC Port QoS [ns-mac-qos] size = 0 NS IPV4 VLAN QoS [ns-vqos] size = 256 NS IPV6 VLAN QoS [ns-ipv6-vqos] size = 0 NS MAC VLAN QoS [ns-mac-vqos] size = 0 NS IPV4 L3 QoS [ns-l3qos] size = 256 NS IPV6 L3 QoS [ns-ipv6-l3qos] size = 0 NS MAC L3 QoS [ns-mac-l3qos] size = 0 VPC Convergence [vpc-convergence] size = 512 IPSG SMAC-IP bind table [ipsg] size = 0 Ingress ARP-Ether ACL [arp-ether] size = 0 ranger+ IPV4 QoS Lite [rp-qos-lite] size = 0 ranger+ IPV4 QoS [rp-qos] size = 256 ranger+ IPV6 QoS [rp-ipv6-qos] size = 256 ranger+ MAC QoS [rp-mac-qos] size = 256 NAT ACL[nat] size = 0 Mpls ACL size = 0 MOD RSVD size = 0 sFlow ACL [sflow] size = 0 mcast bidir ACL [mcast_bidir] size = 0 Openflow size = 0 IPV4 RACL SPAN UDF [racl-udf] size = 0 IPV4 RACL Lite [racl-lite] size = 0 IPV4 Port QoS Intra-TCAM Lite [qos-intra-lite] size = 0 IPV4 L3 QoS Intra-TCAM Lite [l3qos-intra-lite] size = 0 IPV4 PACL SPAN UDF [ifacl-udf] size = 0 COPP System [copp-system] size = 0 IPV4 PACL Lite [ifacl-lite] size = 0 IPV4 VACL Lite [vacl-lite] size = 0 IPV4 VQOS Intra Lite [vqos-intra-lite] size = 0 Ingress PACL [ing-ifacl] size = 0 VACL [vacl] size = 0 Ingress RACL [ing-racl] size = 0 Ingress RBACL [ing-rbacl] size = 0 Ingress L2 QOS [ing-l2-qos] size = 0 Ingress L3/VLAN QOS [ing-l3-vlan-qos] size = 0 Ingress SUP [ing-sup] size = 0 Ingress L2 SPAN filter [ing-l2-span-filter] size = 0 Ingress L3 SPAN filter [ing-l3-span-filter] size = 0 Ingress FSTAT [ing-fstat] size = 0 Ingress LATENCY [ing-latency] size = 0 span [span] size = 0 Egress VACL [egr-vacl] size = 0 Egress RACL [egr-racl] size = 0 Egress RBACL [egr-rbacl] size = 0 Egress SUP [egr-sup] size = 0 Openflow Lite [openflow-lite] size = 0 Ingress FCoE Counters [fcoe-ingress] size = 0 Egress FCoE Counters [fcoe-egress] size = 0 Ingress Redirect [ing-redirect] size = 0 Redirect-Tunnel [redirect-tunnel] size = 0 9332PQ-01# 9332PQ-01# 9332PQ-01# 9332PQ-01# conf t ---------->Option #1 Reduce the ingress IPv4 RACL by 512 entries (1536 - 512 = 1024) and add an ingress IPv6 RACL with 512 entries. Enter configuration commands, one per line. End with CNTL/Z. 9332PQ-01(config)# hardware access-list tcam region racl 1024 Warning: Please save config and reload the system for the configuration to take effect 9332PQ-01(config)# 9332PQ-01(config)# hardware access-list tcam region ipv6-racl 256 ERROR: Aggregate TCAM region configuration exceeded the available Ingress TCAM slices. Please re-configure. ---------->Exception 9332PQ-01(config)# 9332PQ-01(config)# 9332PQ-01(config)# hardware access-list tcam region racl 1536 Warning: Please save config and reload the system for the configuration to take effect 9332PQ-01(config)# 9332PQ-01(config)# 9332PQ-01(config)# ---------->Option #2 Remove IPv4 Layer 3 QoS by reducing its size to 0 and add an ingress IPv6 RACLjThis option is available if you are not using IPv4 Layer 3 QoS. 9332PQ-01(config)# 9332PQ-01(config)# hardware access-list tcam region l3qos 0 Warning: Please save config and reload the system for the configuration to take effect 9332PQ-01(config)# hardware access-list tcam region ipv6-racl 256 Warning: Please save config and reload the system for the configuration to take effect 9332PQ-01(config)# 9332PQ-01(config)# show hardware access-list tcam region TCAM Region Sizes: 99 IPV4 PACL [ifacl] size = 0 IPV6 PACL [ipv6-ifacl] size = 0 MAC PACL [mac-ifacl] size = 0 IPV4 Port QoS [qos] size = 0 IPV6 Port QoS [ipv6-qos] size = 0 MAC Port QoS [mac-qos] size = 0 FEX IPV4 PACL [fex-ifacl] size = 0 FEX IPV6 PACL [fex-ipv6-ifacl] size = 0 FEX MAC PACL [fex-mac-ifacl] size = 0 FEX IPV4 Port QoS [fex-qos] size = 0 FEX IPV6 Port QoS [fex-ipv6-qos] size = 0 FEX MAC Port QoS [fex-mac-qos] size = 0 IPV4 VACL [vacl] size = 0 IPV6 VACL [ipv6-vacl] size = 0 MAC VACL [mac-vacl] size = 0 IPV4 VLAN QoS [vqos] size = 0 IPV6 VLAN QoS [ipv6-vqos] size = 0 MAC VLAN QoS [mac-vqos] size = 0 IPV4 RACL [racl] size = 1536 IPV6 RACL [ipv6-racl] size = 256 IPV4 Port QoS Lite [qos-lite] size = 0 FEX IPV4 Port QoS Lite [fex-qos-lite] size = 0 IPV4 VLAN QoS Lite [vqos-lite] size = 0 IPV4 L3 QoS Lite [l3qos-lite] size = 0 Egress IPV4 QoS [e-qos] size = 0 Egress IPV6 QoS [e-ipv6-qos] size = 0 Egress MAC QoS [e-mac-qos] size = 0 Egress IPV4 VACL [vacl] size = 0 Egress IPV6 VACL [ipv6-vacl] size = 0 Egress MAC VACL [mac-vacl] size = 0 Egress IPV4 RACL [e-racl] size = 768 Egress IPV6 RACL [e-ipv6-racl] size = 0 Egress IPV4 QoS Lite [e-qos-lite] size = 0 IPV4 L3 QoS [l3qos] size = 0 IPV6 L3 QoS [ipv6-l3qos] size = 0 MAC L3 QoS [mac-l3qos] size = 0 Ingress System size = 256 Egress System size = 256 SPAN [span] size = 256 Ingress COPP [copp] size = 256 Ingress Flow Counters [flow] size = 0 Egress Flow Counters [e-flow] size = 0 Ingress SVI Counters [svi] size = 0 Redirect [redirect] size = 256 NS IPV4 Port QoS [ns-qos] size = 256 NS IPV6 Port QoS [ns-ipv6-qos] size = 0 NS MAC Port QoS [ns-mac-qos] size = 0 NS IPV4 VLAN QoS [ns-vqos] size = 256 NS IPV6 VLAN QoS [ns-ipv6-vqos] size = 0 NS MAC VLAN QoS [ns-mac-vqos] size = 0 NS IPV4 L3 QoS [ns-l3qos] size = 256 NS IPV6 L3 QoS [ns-ipv6-l3qos] size = 0 NS MAC L3 QoS [ns-mac-l3qos] size = 0 VPC Convergence [vpc-convergence] size = 512 IPSG SMAC-IP bind table [ipsg] size = 0 Ingress ARP-Ether ACL [arp-ether] size = 0 ranger+ IPV4 QoS Lite [rp-qos-lite] size = 0 ranger+ IPV4 QoS [rp-qos] size = 256 ranger+ IPV6 QoS [rp-ipv6-qos] size = 256 ranger+ MAC QoS [rp-mac-qos] size = 256 NAT ACL[nat] size = 0 Mpls ACL size = 0 MOD RSVD size = 0 sFlow ACL [sflow] size = 0 mcast bidir ACL [mcast_bidir] size = 0 Openflow size = 0 IPV4 RACL SPAN UDF [racl-udf] size = 0 IPV4 RACL Lite [racl-lite] size = 0 IPV4 Port QoS Intra-TCAM Lite [qos-intra-lite] size = 0 IPV4 L3 QoS Intra-TCAM Lite [l3qos-intra-lite] size = 0 IPV4 PACL SPAN UDF [ifacl-udf] size = 0 COPP System [copp-system] size = 0 IPV4 PACL Lite [ifacl-lite] size = 0 IPV4 VACL Lite [vacl-lite] size = 0 IPV4 VQOS Intra Lite [vqos-intra-lite] size = 0 Ingress PACL [ing-ifacl] size = 0 VACL [vacl] size = 0 Ingress RACL [ing-racl] size = 0 Ingress RBACL [ing-rbacl] size = 0 Ingress L2 QOS [ing-l2-qos] size = 0 Ingress L3/VLAN QOS [ing-l3-vlan-qos] size = 0 Ingress SUP [ing-sup] size = 0 Ingress L2 SPAN filter [ing-l2-span-filter] size = 0 Ingress L3 SPAN filter [ing-l3-span-filter] size = 0 Ingress FSTAT [ing-fstat] size = 0 Ingress LATENCY [ing-latency] size = 0 span [span] size = 0 Egress VACL [egr-vacl] size = 0 Egress RACL [egr-racl] size = 0 Egress RBACL [egr-rbacl] size = 0 Egress SUP [egr-sup] size = 0 Openflow Lite [openflow-lite] size = 0 Ingress FCoE Counters [fcoe-ingress] size = 0 Egress FCoE Counters [fcoe-egress] size = 0 Ingress Redirect [ing-redirect] size = 0 Redirect-Tunnel [redirect-tunnel] size = 0 AQ6-PT-9332PQ-01(config)# AQ6-PT-9332PQ-01(config)# AQ6-PT-9332PQ-01(config)#

Conditions

Default TCAM space.

Workaround

Option #2 Remove IPv4 Layer 3 QoS by reducing its size to 0 and add an ingress IPv6 RACL—This option is available if you are not using IPv4 Layer 3 QoS. switch(config)# hardware access-list tcam region l3qos 0 Warning: Please reload the linecard for the configuration to take effect switch(config)# hardware access-list tcam region ipv6-racl 256 Warning: Please reload the linecard for the configuration to take effect

Further Problem Description

Relevant Products

Click on a version to see all relevant bugs

Affected versions:7.0(3)I2(3)

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Affected versions:7.0(3)I2(3)

Fixed versions: No known fixed versions

Top Cisco Defects

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCuz67613

IPv6 RACL TCAM space on Nexus 9332PQ

Cisco - Defect ID: CSCuz67613

IPv6 RACL TCAM space on Nexus 9332PQ

Last updated on April 1st, 2020

BugZero Risk Score6.0 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
6.0 Medium