Symptom
Egress ACLs TCAM utilization is higher then expected due to lack of support of L4 operation.
We should add support for L4 ops for egress ACLs for Cisco branded ASICs if there is HW support
Conditions
For egress ACLs if L4 operations (port ranges) are in use, TCAM entries currently looks in the following way:
202 permit udp 10.8.2.0/24 eq domain any gt 1023
[0x0011:0x0014:0x0014] permit lbl(0x0 - mismatch) udp 10.8.2.0/24 eq 53 0.0.0.0/0 range 32768 65535 [0]
[0x0012:0x0015:0x0015] permit lbl(0x0 - mismatch) udp 10.8.2.0/24 eq 53 0.0.0.0/0 range 16384 32767 [0]
[0x0013:0x0016:0x0016] permit lbl(0x0 - mismatch) udp 10.8.2.0/24 eq 53 0.0.0.0/0 range 8192 16383 [0]
[0x0014:0x0017:0x0017] permit lbl(0x0 - mismatch) udp 10.8.2.0/24 eq 53 0.0.0.0/0 range 4096 8191 [0]
[0x0015:0x0018:0x0018] permit lbl(0x0 - mismatch) udp 10.8.2.0/24 eq 53 0.0.0.0/0 range 2048 4095 [0]
[0x0016:0x0019:0x0019] permit lbl(0x0 - mismatch) udp 10.8.2.0/24 eq 53 0.0.0.0/0 range 1024 2047 [0]
The reason for that - there is no support for L4 operations for Egress ACL on N9K
It's considered as platform limitation.
?The switch hardware does not support range checks (Layer 4 operations) in the egress TCAM. Therefore, ACL and QoS policies with a Layer 4 operations-based classification need to be expanded to multiple entries in the egress TCAM. Make sure to consider this limitation for egress TCAM space planning.?
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_01001.html#con_1458569
Workaround
Use another ACL placement
Modify ACL (to avoid using L4 operations)
