We had an interesting issue arise on Friday and I'm still wrestling with it. The short story is that we have a 7600 with a lot of ACLs on it, some of which are very long and most ACEs are port specific. This uses up a lot of ACL TCAM LOUs, or logical objects. I didn't discover that until later, though.
An ACL was updated on this 7600. Four lines were added. That ACL is applied to a single interface. It appears that after those lines were added, traffic that is NOT traversing that interface was affected. The symptoms were intermittent connectivity in some cases. When we removed the ACL, the traffic in question apparently began functioning. When we added the ACL back to the interface, the traffic began to break again. Remember, this ACL is NOT in the transit path for the traffic in question. My first thought was TCAM. I checked "show platform hardware capacity acl" and saw that LOUdst was at 100% with the ACL applied, but it was at 81% with the ACL removed. I've heard that if TCAM is overloaded, some ACLs will be processed by the CPU, which clearly could cause problems. However, I did not see any rise in CPU usage during this period. Also, if we just remove the four new lines that were added, the LOUdst value is still at 100%. I remain unconvinced that this was actually the root cause for the issue. Do any of you have any experience with this? What would be the expected outcome of running out of LOU space in the ACL TCAM? Thanks, John _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
