BugZero | Cisco BugID CSCuz67613 - IPv6 RACL TCAM space on Nexus 9332PQ

Cisco - Defect ID: CSCuz67613

IPv6 RACL TCAM space on Nexus 9332PQ

Cisco - Defect ID: CSCuz67613

IPv6 RACL TCAM space on Nexus 9332PQ

Last updated on 4/1/2020

Overall: 66.0

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 3.73.7

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 66.0

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 3.73.7

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

As per Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 7.x: To set the size of the ingress IPv6 RACL TCAM region on a Cisco Nexus 9500 Series switch, perform one of two options. Option #1 Reduce the ingress IPv4 RACL by 512 entries (1536 - 512 = 1024) and add an ingress IPv6 RACL with 512 entries—This option is preferred. switch(config)# hardware access-list tcam region racl 1024 Warning: Please reload the linecard for the configuration to take effect switch(config)# hardware access-list tcam region ipv6-racl 256 Warning: Please reload the linecard for the configuration to take effect Option #2 Remove IPv4 Layer 3 QoS by reducing its size to 0 and add an ingress IPv6 RACL—This option is available if you are not using IPv4 Layer 3 QoS. switch(config)# hardware access-list tcam region l3qos 0 Warning: Please reload the linecard for the configuration to take effect switch(config)# hardware access-list tcam region ipv6-racl 256 Warning: Please reload the linecard for the configuration to take effect ==================================================================================== My device is Nexus 9332PQ and can't use Option 1. I tried to config "Option 1" on Nexus 9500 . But got the same issue. Below is my log. 9332PQ-01# show hardware access-list tcam region TCAM Region Sizes: 99 IPV4 PACL [ifacl] size = 0 IPV6 PACL [ipv6-ifacl] size = 0 MAC PACL [mac-ifacl] size = 0 IPV4 Port QoS [qos] size = 0 IPV6 Port QoS [ipv6-qos] size = 0 MAC Port QoS [mac-qos] size = 0 FEX IPV4 PACL [fex-ifacl] size = 0 FEX IPV6 PACL [fex-ipv6-ifacl] size = 0 FEX MAC PACL [fex-mac-ifacl] size = 0 FEX IPV4 Port QoS [fex-qos] size = 0 FEX IPV6 Port QoS [fex-ipv6-qos] size = 0 FEX MAC Port QoS [fex-mac-qos] size = 0 IPV4 VACL [vacl] size = 0 IPV6 VACL [ipv6-vacl] size = 0 MAC VACL [mac-vacl] size = 0 IPV4 VLAN QoS [vqos] size = 0 IPV6 VLAN QoS [ipv6-vqos] size = 0 MAC VLAN QoS [mac-vqos] size = 0 IPV4 RACL [racl] size = 1536 IPV6 RACL [ipv6-racl] size = 0 IPV4 Port QoS Lite [qos-lite] size = 0 FEX IPV4 Port QoS Lite [fex-qos-lite] size = 0 IPV4 VLAN QoS Lite [vqos-lite] size = 0 IPV4 L3 QoS Lite [l3qos-lite] size = 0 Egress IPV4 QoS [e-qos] size = 0 Egress IPV6 QoS [e-ipv6-qos] size = 0 Egress MAC QoS [e-mac-qos] size = 0 Egress IPV4 VACL [vacl] size = 0 Egress IPV6 VACL [ipv6-vacl] size = 0 Egress MAC VACL [mac-vacl] size = 0 Egress IPV4 RACL [e-racl] size = 768 Egress IPV6 RACL [e-ipv6-racl] size = 0 Egress IPV4 QoS Lite [e-qos-lite] size = 0 IPV4 L3 QoS [l3qos] size = 256 IPV6 L3 QoS [ipv6-l3qos] size = 0 MAC L3 QoS [mac-l3qos] size = 0 Ingress System size = 256 Egress System size = 256 SPAN [span] size = 256 Ingress COPP [copp] size = 256 Ingress Flow Counters [flow] size = 0 Egress Flow Counters [e-flow] size = 0 Ingress SVI Counters [svi] size = 0 Redirect [redirect] size = 256 NS IPV4 Port QoS [ns-qos] size = 256 NS IPV6 Port QoS [ns-ipv6-qos] size = 0 NS MAC Port QoS [ns-mac-qos] size = 0 NS IPV4 VLAN QoS [ns-vqos] size = 256 NS IPV6 VLAN QoS [ns-ipv6-vqos] size = 0 NS MAC VLAN QoS [ns-mac-vqos] size = 0 NS IPV4 L3 QoS [ns-l3qos] size = 256 NS IPV6 L3 QoS [ns-ipv6-l3qos] size = 0 NS MAC L3 QoS [ns-mac-l3qos] size = 0 VPC Convergence [vpc-convergence] size = 512 IPSG SMAC-IP bind table [ipsg] size = 0 Ingress ARP-Ether ACL [arp-ether] size = 0 ranger+ IPV4 QoS Lite [rp-qos-lite] size = 0 ranger+ IPV4 QoS [rp-qos] size = 256 ranger+ IPV6 QoS [rp-ipv6-qos] size = 256 ranger+ MAC QoS [rp-mac-qos] size = 256 NAT ACL[nat] size = 0 Mpls ACL size = 0 MOD RSVD size = 0 sFlow ACL [sflow] size = 0 mcast bidir ACL [mcast_bidir] size = 0 Openflow size = 0 IPV4 RACL SPAN UDF [racl-udf] size = 0 IPV4 RACL Lite [racl-lite] size = 0 IPV4 Port QoS Intra-TCAM Lite [qos-intra-lite] size = 0 IPV4 L3 QoS Intra-TCAM Lite [l3qos-intra-lite] size = 0 IPV4 PACL SPAN UDF [ifacl-udf] size = 0 COPP System [copp-system] size = 0 IPV4 PACL Lite [ifacl-lite] size = 0 IPV4 VACL Lite [vacl-lite] size = 0 IPV4 VQOS Intra Lite [vqos-intra-lite] size = 0 Ingress PACL [ing-ifacl] size = 0 VACL [vacl] size = 0 Ingress RACL [ing-racl] size = 0 Ingress RBACL [ing-rbacl] size = 0 Ingress L2 QOS [ing-l2-qos] size = 0 Ingress L3/VLAN QOS [ing-l3-vlan-qos] size = 0 Ingress SUP [ing-sup] size = 0 Ingress L2 SPAN filter [ing-l2-span-filter] size = 0 Ingress L3 SPAN filter [ing-l3-span-filter] size = 0 Ingress FSTAT [ing-fstat] size = 0 Ingress LATENCY [ing-latency] size = 0 span [span] size = 0 Egress VACL [egr-vacl] size = 0 Egress RACL [egr-racl] size = 0 Egress RBACL [egr-rbacl] size = 0 Egress SUP [egr-sup] size = 0 Openflow Lite [openflow-lite] size = 0 Ingress FCoE Counters [fcoe-ingress] size = 0 Egress FCoE Counters [fcoe-egress] size = 0 Ingress Redirect [ing-redirect] size = 0 Redirect-Tunnel [redirect-tunnel] size = 0 9332PQ-01# 9332PQ-01# 9332PQ-01# 9332PQ-01# conf t ---------->Option #1 Reduce the ingress IPv4 RACL by 512 entries (1536 - 512 = 1024) and add an ingress IPv6 RACL with 512 entries. Enter configuration commands, one per line. End with CNTL/Z. 9332PQ-01(config)# hardware access-list tcam region racl 1024 Warning: Please save config and reload the system for the configuration to take effect 9332PQ-01(config)# 9332PQ-01(config)# hardware access-list tcam region ipv6-racl 256 ERROR: Aggregate TCAM region configuration exceeded the available Ingress TCAM slices. Please re-configure. ---------->Exception 9332PQ-01(config)# 9332PQ-01(config)# 9332PQ-01(config)# hardware access-list tcam region racl 1536 Warning: Please save config and reload the system for the configuration to take effect 9332PQ-01(config)# 9332PQ-01(config)# 9332PQ-01(config)# ---------->Option #2 Remove IPv4 Layer 3 QoS by reducing its size to 0 and add an ingress IPv6 RACLjThis option is available if you are not using IPv4 Layer 3 QoS. 9332PQ-01(config)# 9332PQ-01(config)# hardware access-list tcam region l3qos 0 Warning: Please save config and reload the system for the configuration to take effect 9332PQ-01(config)# hardware access-list tcam region ipv6-racl 256 Warning: Please save config and reload the system for the configuration to take effect 9332PQ-01(config)# 9332PQ-01(config)# show hardware access-list tcam region TCAM Region Sizes: 99 IPV4 PACL [ifacl] size = 0 IPV6 PACL [ipv6-ifacl] size = 0 MAC PACL [mac-ifacl] size = 0 IPV4 Port QoS [qos] size = 0 IPV6 Port QoS [ipv6-qos] size = 0 MAC Port QoS [mac-qos] size = 0 FEX IPV4 PACL [fex-ifacl] size = 0 FEX IPV6 PACL [fex-ipv6-ifacl] size = 0 FEX MAC PACL [fex-mac-ifacl] size = 0 FEX IPV4 Port QoS [fex-qos] size = 0 FEX IPV6 Port QoS [fex-ipv6-qos] size = 0 FEX MAC Port QoS [fex-mac-qos] size = 0 IPV4 VACL [vacl] size = 0 IPV6 VACL [ipv6-vacl] size = 0 MAC VACL [mac-vacl] size = 0 IPV4 VLAN QoS [vqos] size = 0 IPV6 VLAN QoS [ipv6-vqos] size = 0 MAC VLAN QoS [mac-vqos] size = 0 IPV4 RACL [racl] size = 1536 IPV6 RACL [ipv6-racl] size = 256 IPV4 Port QoS Lite [qos-lite] size = 0 FEX IPV4 Port QoS Lite [fex-qos-lite] size = 0 IPV4 VLAN QoS Lite [vqos-lite] size = 0 IPV4 L3 QoS Lite [l3qos-lite] size = 0 Egress IPV4 QoS [e-qos] size = 0 Egress IPV6 QoS [e-ipv6-qos] size = 0 Egress MAC QoS [e-mac-qos] size = 0 Egress IPV4 VACL [vacl] size = 0 Egress IPV6 VACL [ipv6-vacl] size = 0 Egress MAC VACL [mac-vacl] size = 0 Egress IPV4 RACL [e-racl] size = 768 Egress IPV6 RACL [e-ipv6-racl] size = 0 Egress IPV4 QoS Lite [e-qos-lite] size = 0 IPV4 L3 QoS [l3qos] size = 0 IPV6 L3 QoS [ipv6-l3qos] size = 0 MAC L3 QoS [mac-l3qos] size = 0 Ingress System size = 256 Egress System size = 256 SPAN [span] size = 256 Ingress COPP [copp] size = 256 Ingress Flow Counters [flow] size = 0 Egress Flow Counters [e-flow] size = 0 Ingress SVI Counters [svi] size = 0 Redirect [redirect] size = 256 NS IPV4 Port QoS [ns-qos] size = 256 NS IPV6 Port QoS [ns-ipv6-qos] size = 0 NS MAC Port QoS [ns-mac-qos] size = 0 NS IPV4 VLAN QoS [ns-vqos] size = 256 NS IPV6 VLAN QoS [ns-ipv6-vqos] size = 0 NS MAC VLAN QoS [ns-mac-vqos] size = 0 NS IPV4 L3 QoS [ns-l3qos] size = 256 NS IPV6 L3 QoS [ns-ipv6-l3qos] size = 0 NS MAC L3 QoS [ns-mac-l3qos] size = 0 VPC Convergence [vpc-convergence] size = 512 IPSG SMAC-IP bind table [ipsg] size = 0 Ingress ARP-Ether ACL [arp-ether] size = 0 ranger+ IPV4 QoS Lite [rp-qos-lite] size = 0 ranger+ IPV4 QoS [rp-qos] size = 256 ranger+ IPV6 QoS [rp-ipv6-qos] size = 256 ranger+ MAC QoS [rp-mac-qos] size = 256 NAT ACL[nat] size = 0 Mpls ACL size = 0 MOD RSVD size = 0 sFlow ACL [sflow] size = 0 mcast bidir ACL [mcast_bidir] size = 0 Openflow size = 0 IPV4 RACL SPAN UDF [racl-udf] size = 0 IPV4 RACL Lite [racl-lite] size = 0 IPV4 Port QoS Intra-TCAM Lite [qos-intra-lite] size = 0 IPV4 L3 QoS Intra-TCAM Lite [l3qos-intra-lite] size = 0 IPV4 PACL SPAN UDF [ifacl-udf] size = 0 COPP System [copp-system] size = 0 IPV4 PACL Lite [ifacl-lite] size = 0 IPV4 VACL Lite [vacl-lite] size = 0 IPV4 VQOS Intra Lite [vqos-intra-lite] size = 0 Ingress PACL [ing-ifacl] size = 0 VACL [vacl] size = 0 Ingress RACL [ing-racl] size = 0 Ingress RBACL [ing-rbacl] size = 0 Ingress L2 QOS [ing-l2-qos] size = 0 Ingress L3/VLAN QOS [ing-l3-vlan-qos] size = 0 Ingress SUP [ing-sup] size = 0 Ingress L2 SPAN filter [ing-l2-span-filter] size = 0 Ingress L3 SPAN filter [ing-l3-span-filter] size = 0 Ingress FSTAT [ing-fstat] size = 0 Ingress LATENCY [ing-latency] size = 0 span [span] size = 0 Egress VACL [egr-vacl] size = 0 Egress RACL [egr-racl] size = 0 Egress RBACL [egr-rbacl] size = 0 Egress SUP [egr-sup] size = 0 Openflow Lite [openflow-lite] size = 0 Ingress FCoE Counters [fcoe-ingress] size = 0 Egress FCoE Counters [fcoe-egress] size = 0 Ingress Redirect [ing-redirect] size = 0 Redirect-Tunnel [redirect-tunnel] size = 0 AQ6-PT-9332PQ-01(config)# AQ6-PT-9332PQ-01(config)# AQ6-PT-9332PQ-01(config)#

Conditions

Default TCAM space.

Workaround

Option #2 Remove IPv4 Layer 3 QoS by reducing its size to 0 and add an ingress IPv6 RACL—This option is available if you are not using IPv4 Layer 3 QoS. switch(config)# hardware access-list tcam region l3qos 0 Warning: Please reload the linecard for the configuration to take effect switch(config)# hardware access-list tcam region ipv6-racl 256 Warning: Please reload the linecard for the configuration to take effect

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCuz67613

IPv6 RACL TCAM space on Nexus 9332PQ

Cisco - Defect ID: CSCuz67613

IPv6 RACL TCAM space on Nexus 9332PQ

Last updated on 4/1/2020

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?