All, I'm running an ASR1004 as a centralised CGNAT router. I've got various pools defined for different customers, and use a NAT route-map to stop private IPs being NAT'd when trying to reach our internal services (where we'd want to see the private IPs still). Typical config per customer is:
ip nat pool cust1-pool-1 xxx.yyy.153.64 xxx.yyy.153.95 prefix-length 27 ip nat inside source route-map cust1-nat pool cust1-pool-1 overload ! ip access-list extended on-net permit ip any aaa.xxx.128.0 0.0.15.255 permit ip any bbb.yyy.128.0 0.0.31.255 permit ip any ccc.zzz.128.0 0.0.127.255 !| ip access-list extended cust1 permit ip 100.65.162.0 0.0.0.255 any permit ip 100.65.160.0 0.0.1.255 any ! route-map cust1-nat deny 10 match ip address on-net route-map cust1-nat permit 20 match ip address cust1 After adding another set of this config, I've hit this log message: *Mar 22 06:37:54.476 UTC: %CPP_FM-3-CPP_FM_TCAM_ERROR: F0: cpp_sp: TCAM limit exceeded: Class group nat-cg:1001 could not be successfully attached. Please remove the class group from the interface. On this page http://www.cisco.com/en/US/docs/routers/asr1000/release/notes/asr1k_caveats_38s.html It says: - CSCtz71208 Symptom: On a Cisco ASR1000 series router, once the error, CPP_FM-3-CPP_FM_TCAM_ERROR is seen, the only way to recover TCAM is to reload the ASR. Removing the config leading to the TCAM exhaustion is not enough. Conditions: This is seen after something leads to the TCAM being exhausted. This bug only relates to the recovery from the exhaustion, not the exhaustion itself. For that, please see bug: CSCtz33305 Deny Statements could exhaust the TCAM entries. Workaround: Reload the device. Looks like this is what I'm hitting, but does anyone know more about this bug? I can't seem to see CSCtz33305, but it'd be good to know if there's any workaround to avoid hitting this issue... Many thanks, Simon _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/