subject:"\[j\-nsp\] EX switches and TCAM utilisation"

[j-nsp] EX switches and TCAM utilisation

2011-05-18 Thread William J Hulley

Hi,

I'm using some EX3200s running 10.0S6.1 and developing a configuration using 
filter 
based forwarding to policy route traffic between routing instances.

It's all working fine in the lab but I'm concerned about the potential growth 
of the firewall
policy and utilisation of the TCAM in production and would obviously like to 
model the
usage and monitor it.

Are there any known supported/un-supported ways of getting useful stats out of 
the box beyond just relying on syslog messages saying there isn't enough cam?

Regards,

Bill.


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX switches and TCAM utilisation

2011-05-18 Thread Richard A Steenbergen

On Wed, May 18, 2011 at 05:10:54PM +0100, William J Hulley wrote:
 Hi,
 
 I'm using some EX3200s running 10.0S6.1 and developing a configuration 
 using filter based forwarding to policy route traffic between routing 
 instances.
 
 It's all working fine in the lab but I'm concerned about the potential 
 growth of the firewall policy and utilisation of the TCAM in 
 production and would obviously like to model the usage and monitor it.
 
 Are there any known supported/un-supported ways of getting useful 
 stats out of the box beyond just relying on syslog messages saying 
 there isn't enough cam?

Drop into the fpc shell from root, like so:

RE:0% vty fpc0

BSD platform (MPC 8544 processor, 48MB memory, 0KB flash)

PFEM0(vty)# 


Next you need to find the vendor ID for the platform, like so:

PFEM0(vty)# show tcam vendor
Vendor = internal_ch3_tcam Vendor_id = 1

For EX8200 it's vendor id 6, for EX3200 it seems to be vendor id 1.

Then you need to find the instance ID for the hardware you're looking 
for. On EX8200 I know instance 2 is used for GE cards, instance 4 is 
used for XE cards. On EX3200 there only seems to be instance 2 (as 
you'd expect):

PFEM0(vty)# show tcam vendor 1 instances

 Vendor InstancePage Size

 internal_ch3_tcam 2 4 


So then to view the usage info for this vendor/instance:

PFEM0(vty)# show tcam vendor 1 instance 2 rules
Number of rules as Ingress PACL: 0
Number of rules as Ingress VACL: 0
Number of rules as Ingress RACL: 528
Number of rules as   Egress PCL: 135

528 Ingress RACL rules

HW-indexPage_idEntry_idrule_size fw_idRule

6296   1574   0227
AUTOFW-INVALID-PROTOCOLS.ext.0
6298   1574   2227
AUTOFW-INVALID-PROTOCOLS.ext.1
6496   1624   0227
AUTOFW-BORDER-FILTERED-PROTOCOLS.ext.0
6498   1624   2227
AUTOFW-BORDER-FILTERED-PROTOCOLS.ext.1
6708   1677   0227
AUTOFW-BORDER-LIMIT-IP-OPTIONS.ext.0
6710   1677   2227
AUTOFW-BORDER-LIMIT-IP-OPTIONS.ext.1
6960   1740   0227
AUTOFW-LIMIT-ICMP-ECHO.ext.0
...

TCAM utilization: 1326(used), 12938(free), 14264(total)

And there is your total tcam utilization above. Depending on code and 
platform it may show you a slightly different view, for example here is 
the utilization on an EX8200 running older 10.1 code:

PFEM15(vty)# show tcam vendor 6 instance 4 rules
Instance 4
  DB 0  Ingr PACL:0/ 996 (current/max) rules. Util. 0.000%
  DB 1  Ingr VACL:0/   12288 (current/max) rules. Util. 0.000%
  DB 2  Ingr RACL:  410/   32768 (current/max) rules. Util. 1.251%
  DB 3   Egr PACL:0/1024 (current/max) rules. Util. 0.000%
  DB 4   Egr PCL1:  103/8188 (current/max) rules. Util. 1.258%

But you get the gist. :)

-- 
Richard A Steenbergen r...@e-gerbil.net   http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX switches and TCAM utilisation

2011-05-18 Thread Charlie Allom

On Wed, May 18, 2011 at 12:42:22PM -0500, Richard A Steenbergen 
r...@e-gerbil.net wrote:
 On Wed, May 18, 2011 at 05:10:54PM +0100, William J Hulley wrote:
  Hi,
  
  I'm using some EX3200s running 10.0S6.1 and developing a configuration 
  using filter based forwarding to policy route traffic between routing 
  instances.
  
  It's all working fine in the lab but I'm concerned about the potential 
  growth of the firewall policy and utilisation of the TCAM in 
  production and would obviously like to model the usage and monitor it.
  
  Are there any known supported/un-supported ways of getting useful 
  stats out of the box beyond just relying on syslog messages saying 
  there isn't enough cam?
 
 Drop into the fpc shell from root, like so:
 
 RE:0% vty fpc0


Wow Richard,

that is amazing info.

What version of JunOS was that from? on 10.0S I sadly only get these columns:

Number of rules as   Egress PCL: 59335

59335   Egress PCL rules


Page_id Entry_id  Instance  fw_id   RuleRule-Index
--
32  0 23735928559   ospf-neighbours.8.ext.0 64
32  2 23735928559   ospf-neighbours.8.ext.1 65
33  0 23735928559   ospf-neighbours.8.ext.2 66
...
16872 23735928559   puppet_dashboard.44.ext.8   3375
16910 23735928559   deny-all.44.ext.0   3382

So it's hard to tell when the tcam is full.

  C.
-- 
 +442077294797
 http://mediaserviceprovider.com/
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX switches and TCAM utilisation

Re: [j-nsp] EX switches and TCAM utilisation

Re: [j-nsp] EX switches and TCAM utilisation

3 matches

Site Navigation

Mail list logo

Footer information