Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

TCAM filter space allocation and verification in QFX devices from Junos OS 12.2X50-D20 onward

0

0

Article ID: KB28925 KB Last Updated: 05 Mar 2017Version: 3.0
Summary:

This article describes how to check the maximum number of firewall filter entries on QFX switches.

Symptoms:

Show how to check total available and utilized TCAM space on a QFX platform.

Prior to Junos OS Release 12.2X50-D20, QFX3500 and QFX3600 switches and node devices supported the following maximum number of firewall filter terms:

  • 768 terms for ingress filters
  • 1024 terms for egress filters

Ingress: Maximum number of entries for each access control list was 256.

  • PACL - Ingress - 256
  • VACL - Ingress - 256
  • RACL - Ingress - 256

From Junos OS Release 12.2xX50-D20 onward, each ACL can support more than 256 entries, totaling 768. These totals are applied in aggregate. That is, you can apply a total of 768 port filters, Layer 3 filters, and VLAN filters in the input direction and 1024 port filters, Layer 3 filters, and VLAN filters in the output direction.

These maximum values also assume that each filter has only one term. If you create filters with multiple terms (including implicit terms), the maximum numbers of filters is reduced.

The total available space will combine and can be used for any type of ACL. Basically, the total TCAM space in one direction will be 768 entries.

The memory for filters is divided into slices that accommodate 256 filters (assuming that there is one term per filter), and all the filters in a memory slice must be of the same type and applied in the same direction. A memory slice is reserved as soon as you apply a filter.

For example, if you create a port filter and apply it in the input direction, a memory slice is reserved that will store only ingress port filters. If you create and apply only one ingress port filter, the rest of this slice is unused and is unavailable for other filter types.

Solution:

Scenario: Procedure to check for TCAM utilization; for example, iRACL taken in this case.

Use the command show filter hw groups to check TCAM space in PFE:

TFXPC0(vty)# show filter hw groups
Unit:0 Group Information:
> VFP groups:
> IFP groups:
BA classifier dynamic group id: 11. Entries: 73 Max Entries: 128 Pri: 0 Slice: 1 Def Entries: 0
iRACL group id: 14. Entries: 256 Max Entries: 256 Pri: 1 Slice: 2 Def Entries: 0 <-----Max Entries is 256
Dynamic group id: 10. Entries: 81 Max Entries: 128 Pri: 5 Slice: 2 Def Entries: 0
Dynamic HiGig group id: 15. Entries: 5 Max Entries: 128 Pri: 6 Slice: 1 Def Entries: 0
> EFP groups:
eRACL group id: 22. Entries: 13 Max Entries: 256 Pri: 2 Slice: 1 Def Entries: 1

VFP groups: VLAN Filter Processor - pre-ingress Content Aware processor (the first thing in the Broadcom Ingress pipeline). It has maximum 1024 entries. FIP snooping filters for example, belong to this group.
IFP groups: Ingress Filter Processor - The main ContentAware engine lies after the VFP block in the ingress pipeline.
BA classifier dynamic group: This is the behaviour aggregate (BA) classifier which maps a class-of-service (CoS) value to a forwarding class and loss priority.
iRACL, iVACL, iPACL group: These blocks show ingress RACL, VACL & PACL entries used.
ePACL, eVACL, eRACL groups: These blocks show egress RACL, VACL & PACL entries used.
Dynamic group: Dynamic group is a general group for installing miscellaneous filters needed by the system, including filters to set the CPU COS Queues for control traffic.
Dynamic HiGig group: Higig is used for higig packets on a QFabric system and FC scaling related filters on a QFabric and a standalone TOR.

iRACL group id: 14. Entries: 256 Max Entries: 256 Pri: 1 Slice: 2 Def Entries: 0



In the above output, iRACL’s group is 14, which has used 256 TCAM entries. This group uses slice 2. Here, it uses slice 2 only, and shows that Max Entries is only 256. After the iRACL crosses 256 entries, the new slice will be used. When more filters are added, it will start using one more slice, as shown below:

TFXPC0(vty)# show filter hw groups
Unit:0 Group Information:
> VFP groups:
> IFP groups:
BA classifier dynamic group id: 11. Entries: 73 Max Entries: 128 Pri: 0 Slice: 1 Def Entries: 0
iRACL group id: 14. Entries: 264 Max Entries: 512 Pri: 1 Slice: 4 Def Entries: 0 <-----Max Entries is 512 after it starts using slice 4 as well, when number of entries crosses 256.
Dynamic group id: 10. Entries: 81 Max Entries: 128 Pri: 5 Slice: 2 Def Entries: 0
Dynamic HiGig group id: 15. Entries: 5 Max Entries: 128 Pri: 6 Slice: 1 Def Entries: 0
> EFP groups:
eRACL group id: 22. Entries: 13 Max Entries: 256 Pri: 2 Slice: 1 Def Entries: 1


Now it is using the slice 4 as well. The iRACL now uses two slices and Max Entries is 512. After more filters are added, it will start using one more slice.

TOR platform (1200000000Mhz XLR processor, 131MB memory, 0KB flash)

TFXPC0(vty)# show fil hw groups
Unit:0 Group Information:
> VFP groups:
> IFP groups:
BA classifier dynamic group id: 11. Entries: 73 Max Entries: 128 Pri: 0 Slice: 1 Def Entries: 0
iRACL group id: 14. Entries: 518 Max Entries: 768 Pri: 1 Slice: 6 Def Entries: 0 <-----Max Entries is 768 after it starts using slice 6 as well, when number of entries crosses 512.
Dynamic group id: 10. Entries: 81 Max Entries: 128 Pri: 5 Slice: 2 Def Entries: 0
Dynamic HiGig group id: 15. Entries: 5 Max Entries: 128 Pri: 6 Slice: 1 Def Entries: 0
> EFP groups:
eRACL group id: 22. Entries: 13 Max Entries: 256 Pri: 2 Slice: 1 Def Entries: 1



Now, it is using slice 2,4, and 6. iRACL can go up to a maximum of 768 entries.

However, other filter types, like PACL or VACL, cannot be applied, as specified in the documentation. This means that after a slice for a particular type of ACL (RACL) is used, the same slice of other filter types.(PACL / VACL) cannot be reused. For more information, see the Junos OS 12.2 Release Notes for the QFX Series.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search