This article provides information on ternary content addressable memory (TCAM) utilization by a firewall filter that is applied on the loopback interface on EX4600 and QFX5100 Series devices.
Loopback interface consumes four times more TCAM utilization than physical interface.
A packet is determined to be host bound if any of the following conditions are met during lookup:
- Reserved multicast (always sent to the CPU)
- Known L3 Unicast packets destined to port 0 (CPU port)
- Any packets flagged by the L3 routing table as routed to the CPU
- TTL 0 packets (automatically punted to the CPU)
These entries handle different types of host-bound traffic. Without these matching conditions, there is no way to handle the traffic that is going to the CPU by using a single entry.
When a firewall filter applies to a loopback filter, 4 TCAM entries are used where the same firewall filter uses 1 TCAM entry if it is applied to a physical interface.
Lab Output
root# show firewall
family inet {
filter TEST {
term 1 {
from {
source-address {
10.10.10.1/32;
10.10.10.5/32;
}
destination-address {
20.20.20.1/32;
20.20.20.5/32;
}
destination-port 80;
}
then accept;
}
term 2 {
then accept;
}
}
}
TCAM Calculation
Source-address = 2
Destination-address = 2
Destination-port = 1
Refer to KB30953 - [EX/QFX] How to calculate and to optimize TCAM usage in firewall filters for TCAM usage calculation.
TCAM entries for loopback interface: 2(Source-address)*2(Destination-address)*1(Destination-port)*4(loopback filter) = 16
TCAM entries for physical interface: 2(Source-address)*2(Destination-address)*1(Destination-port) = 4
TFXPC0( vty)# show filter
Program Filters:
---------------
Index Dir Cnt Text Bss Name
-------- ------ ------ ------ ------ --------
Term Filters:
------------
Index Semantic Name
-------- ----------------
1 Classic TEST
17000 Classic __default_arp_policer__
57006 Classic __jdhcpd__
57007 Classic __dhcpv6__
65008 Classic __jdhcpd_l2_snoop_filter__
92274688 Classic __jdhcpd_l2_dai_filter__
125829120 Classic __jdhcpd_security_dhcpv6_l2_snoop_filter__
130023424 Classic __jdhcpd_security_icmpv6_l2_snoop_filter__
142606336 Classic __jdhcpd_l3_tag__
142606337 Classic __dhcpv6_l3_tag__
Resolve Filters:
---------------
Index
--------
TFXPC0( vty)# show filter hw 1 show_term_info
======================
Filter index : 1
======================
- Filter name : TEST
+ Hardware Instance : 1
+ Hardware key (struct brcm_dfw_hw_key_t):
- Type : IRACL
- Vlan id : 0
- Direction : ingress
- Protocol : 2 (IPv4)
- Port class id : 0
- Class id : 0
- Loopback : 1
- Port : 0(xe-1)
- Vlan tag : 0
- Non-overflow : 1
+ FP usage info (struct brcm_dfw_fp_t):
- Group : IFP iRACL group (33)
- My Mac : 00:00:00:00:00:00
- Loopback Reference Count : 00000001
- IFL Type : unknown (0)
+ List of tcam entries : [ total: 20; ]
- Pipe: 0; [259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 ]
+ List of ranges : [ total: 0; ]
- Pipe: 0 []
+ List of interface match entries : [ total: 0; ]
- Pipe: 0 []
+ List of dot1q-tag match entries : [ total: 0; ]
- Pipe: 0 []
- List of l3 ifl index entries : [ total: 0; ]
+ List of vfp tcam entries : [ total: 0; ]
- Pipe: 0 []
+ Misc info (struct brcm_dfw_misc_info_t):
- List of <anlz_id, entry_id> : [ total: 0; ]
+ Bind point info (union brcm_dfw_bind_point_info_t):
+ Loopback : CPU Traffic
+ Programmed: YES
+ BD ID : 228
+ Total TCAM entries available: 1511
+ Total TCAM entries needed : 20
+ Term Expansion:
- Term 1: will expand to 4 terms: Name "1"
- Term 2: will expand to 1 term : Name "2"
+ Term TCAM entry requirements:
- Term 1: needs 16 TCAM entries: Name "1" < ------------ loopback interface
- Term 2: needs 4 TCAM entries: Name "2"
+ Total TCAM entries available: 1511
+ Total TCAM entries needed : 20
+ Hardware Instance : 2
+ Hardware key (struct brcm_dfw_hw_key_t):
- Type : IRACL
- Vlan id : 0
- Direction : ingress
- Protocol : 2 (IPv4)
- Port class id : 0
- Class id : 4095
- Loopback : 0
- Port : 0(xe-1)
- Vlan tag : 0
- Non-overflow : 0
+ FP usage info (struct brcm_dfw_fp_t):
- Group : IFP iRACL group (33)
- My Mac : 00:00:00:00:00:00
- Loopback Reference Count : 00000000
- IFL Type : unknown (0)
+ List of tcam entries : [ total: 5; ]
- Pipe: 0; [254 255 256 257 258 ]
+ List of ranges : [ total: 0; ]
- Pipe: 0 []
+ List of interface match entries : [ total: 0; ]
- Pipe: 0 []
+ List of dot1q-tag match entries : [ total: 0; ]
- Pipe: 0 []
- List of l3 ifl index entries : [ total: 1; 555 (4095) ]
+ List of vfp tcam entries : [ total: 0; ]
- Pipe: 0 []
+ Misc info (struct brcm_dfw_misc_info_t):
- List of <anlz_id, entry_id> : [ total: 0; ]
+ Bind point info (union brcm_dfw_bind_point_info_t):
+ Overflow Vlan : 4095
+ Programmed: YES
+ BD ID : 227
+ Total TCAM entries available: 1511
+ Total TCAM entries needed : 5
+ Term Expansion:
- Term 1: will expand to 4 terms: Name "1"
- Term 2: will expand to 1 term : Name "2"
+ Term TCAM entry requirements:
- Term 1: needs 4 TCAM entries: Name "1" < ------------ Physical interface
- Term 2: needs 1 TCAM entry : Name "2"
+ Total TCAM entries available: 1511
+ Total TCAM entries needed : 5
Total hardware instances: 2
2020-05-29: Article reviewed for accuracy; no changes made; article still valid.