Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
218
Views
0
Helpful
3
Replies

F105504 Policy CAM entries usage.

Ibrahim010
Level 1
Level 1

‎03-19-2024 06:38 AM

Hi Folks,

We have four leafs in our environment that are running close to 90% TCAM utilization. I am kinda lost on what is causing this and how to troubleshoot it. The only difference that i can see, from the capacity dashboard, when comparing these leafs with the other leafs, is that these leafs have alot more virtual machines/Hypervisors connected to them. But does that fully explain the issue? Please see picture attached. 

I was wondering if you guys could help me out troubleshooting this issue.

Thanks.

1.png

0 Helpful
3 Replies 3

Robert Burns
Cisco Employee
Cisco Employee

‎03-19-2024 07:14 AM

Looks like your Policies (Contracts) are consuming most of the TCAM.  There may be ways you can optimize your security policies - vzAny, Preferred Groups etc.  Can you explain what your contract design looks like?

Also, what is your Leaf Forward Scale Profile configured as?
Operations > Capacity Dashboard > Leaf Capacity > Configure Profile (below the Leaf in question)

The "High Policy" profile would maximize TCAM space for security policies.  Keep in mind you need to reboot a switch to apply a different tile profile.  Should be done during a maintenance window.

Robert

0 Helpful

Ibrahim010
Level 1
Level 1
In response to Robert Burns

‎03-20-2024 07:18 AM

Hi Robert,

The Forward Scale Profile is set to 'Dual Stack'. Most of our contracts are build very specific, so SRC > DST > Port. We dont work with preferred groups, have some vzAny policies in place tho. 

Can you please explain to me why these four leafs are being effected by the number of contracts while the rest of the leaf fabric isnt? I know that policies are pushed to leafs on use basis, so does this mean that these four leafs have alot of EPGs configured on them or perhaps alot of contracts within specific EPGs? Is there a way for me to find out witch ones?

Thanks alot!

0 Helpful

Robert Burns
Cisco Employee
Cisco Employee

‎03-20-2024 10:56 AM

Filter rules are pushed where they are required, so this could vary depending where EPGs are deployeed (on which Leafs).  you can use the Capacity dashboard to see the levels of Policy Cam on a per-switch basis.  Note, that different models of switch may have different supported scale support.  So there are fabric-level scale limitations, as well as platform (Leaf) specific platform scalability that comes into play.  That's the purpose of the Capacity dashboard - to help you monitor/manage this.

Robert

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License