Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

ex4300 TCAM entries not being installed

  • 1.  ex4300 TCAM entries not being installed

    Posted 03-30-2023 07:22

    I have a pair of ex4300s that don't appear to be installing entries sourced from the TCAM table... at least, I don't think so based on outputs.  I came upon this wondering why our loopback firewall filter wasn't working.  

    ======================
    Filter index   : 1
    ======================
    
    - Filter name  : loopback
    
    + Hardware Instance : 1
      + Hardware key (struct pfe_bcm_dfw_hw_key_t):
        - Type          : IRACL_LO
        - Vlan id       : 0
        - Direction     : ingress
        - Protocol      : 2 (IPv4)
        - Port class id : 0
        - Class id      : 0
        - Loopback      : 1
        - Vlan tag      : 0
      + FP usage info (struct pfe_bcm_dfw_fp_t):
        - Group                           : IFP iRACLv6 + Lo0 group (7)
        - List of tcam entries            : [ total: 0; ]
        - List of ranges                  : [ total: 0; ]
      + Misc info (struct pfe_bcm_dfw_misc_info_t):
      + Bind point info (union pfe_bcm_dfw_bind_point_info_t):
        - No grouping possible
      + AE intf match list:
      + Programmed: NO
      + Total TCAM entries available: 1792
      + Total Filter terms  : 114
      + Term Expansion:
        - Term    1: will expand to     9 terms: Name "permit-ntp"
        - Term    2: will expand to     1 term : Name "discard-ntp"
        - Term    3: will expand to    21 terms: Name "permit-ssh"
        - Term    4: will expand to     1 term : Name "discard-ssh"
        - Term    5: will expand to    21 terms: Name "permit-netconf"
        - Term    6: will expand to     1 term : Name "discard-netconf"
        - Term    7: will expand to    13 terms: Name "permit-snmp"
        - Term    8: will expand to     1 term : Name "discard-snmp"
        - Term    9: will expand to     4 terms: Name "allow-dhcp"
        - Term   10: will expand to    39 terms: Name "allow-udp-source"
        - Term   11: will expand to     1 term : Name "discard-udp"
        - Term   12: will expand to     1 term : Name "discard-telnet"
        - Term   13: will expand to     1 term : Name "accept"
      + Term TCAM entry requirements:
        - Term    1: needs    27 TCAM entries: Name "permit-ntp"
        - Term    2: needs     3 TCAM entries: Name "discard-ntp"
        - Term    3: needs    63 TCAM entries: Name "permit-ssh"
        - Term    4: needs     3 TCAM entries: Name "discard-ssh"
        - Term    5: needs    63 TCAM entries: Name "permit-netconf"
        - Term    6: needs     3 TCAM entries: Name "discard-netconf"
        - Term    7: needs    39 TCAM entries: Name "permit-snmp"
        - Term    8: needs     3 TCAM entries: Name "discard-snmp"
        - Term    9: needs    12 TCAM entries: Name "allow-dhcp"
        - Term   10: needs   117 TCAM entries: Name "allow-udp-source"
        - Term   11: needs     3 TCAM entries: Name "discard-udp"
        - Term   12: needs     3 TCAM entries: Name "discard-telnet"
        - Term   13: needs     3 TCAM entries: Name "accept"
      + Total TCAM entries available: 1792
      + Total TCAM entries needed   : 342
    
     Total hardware instances: 1
    

    I've checked another pair of ex4300s with the exact same firewall filter rules and that one is functioning with the TCAM installing entries, per below

    Filter index   : 1                                                                                                                                                                                                                                                                                                              [128/5861]
    ======================
    
    - Filter name  : loopback
    
    + Hardware Instance : 1
      + Hardware key (struct pfe_bcm_dfw_hw_key_t):
        - Type          : IRACL_LO
        - Vlan id       : 0
        - Direction     : ingress
        - Protocol      : 2 (IPv4)
        - Port class id : 0
        - Class id      : 0
        - Loopback      : 1
        - Vlan tag      : 0
      + FP usage info (struct pfe_bcm_dfw_fp_t):
        - Group                           : IFP iRACLv6 + Lo0 group (7)
        - List of tcam entries            : [ total: 342; 6351 6352 6353 6354 6355 6356 6357 6358 6359 6360 6361 6362 6363 6364 6365 6366 6367 6368 6369 6370 6371 6372 6373 6374 6375 6376 6377 6378 6379 6380 6381 6382 6383 6384 6385 6386 6387 6388 6389 6390 6391 6392 6393 6394 6395 6396 6397 6398 6399 6400 6401 6402 6403 6404 6405 6406 6407 6408 6409 6410 6411 6412 6413 6414 6415 6416 6417 6418 6419 6420 6421 6422 6423 6424 6425 6426 6427 6428 6429 6430 6431 6432 6433 6434 6435 6436 6437 6438 6439 6440 6441 6442 6443 6444 6445 6446 6447 6448 6449 6450 6451 6452 6453 6454 6455 6456 6457 6458 6459 6460 6461 6462 6463 6464 6465 6466 6467 6468 6469 6470 6471 6472 6473 6474 6475 6476 6477 6478 6479 6480 6481 6482 6483 6484 6485 6486 6487 6488 6489 6490 6491 6492 6493 6494 6495 6496 6497 6498 6499 6500 6501 6502 6503 6504 6505 6506 6507 6508 6509 6510 6511 6512 6513 6514 6515 6516 6517 6518 6519 6520 6521 6522 6523 6524 6525 6526 6527 6528 6529 6530 6531 6532 6533 6534 6535 6536 6537 6538 6539 6540 6541 6542 6543 6544 6545 6546 6547 6548 6549 6550 6551 6552 6553 6554 6555 6556 6557 6558 6559 6560 6561 6562 6563 6564 6565 6566 6567 6568 6569 6570 6571 6572 6573 6574 6575 6576 6577 6578 6579 6580 6581 6582 6583 6584 6585 6586 6587 6588 6589 6590 6591 6592 6593 6594 6595 6596 6597 6598 6599 6600 6601 6602 6603 6604 6605 6606 6607 6608 6609 6610 6611 6612 6613 6614 6615 6616 6617 6618 6619 6620 6621 6622 6623 6624 6625 6626 6627 6628 6629 6630 6631 6632 6633 6634 6635 6636 6637 6638 6639 6640 6641 6642 6643 6644 6645 6646 6647 6648 6649 6650 6651 6652 6653 6654 6655 6656 6657 6658 6659 6660 6661 6662 6663 6664 6665 6666 6667 6668 6669 6670 6671 6672 6673 6674 6675 6676 6677 6678 6679 6680 6681 6682 6683 6684 6685 6686 6687 6688 6689 6690 6691 6692 ]
        - List of ranges                  : [ total: 0; ]
      + Misc info (struct pfe_bcm_dfw_misc_info_t):
      + Bind point info (union pfe_bcm_dfw_bind_point_info_t):
        - No grouping possible
      + AE intf match list:
      + Programmed: YES
      + Total TCAM entries available: 1792
      + Total TCAM entries installed  : 342
      + Term Expansion:
        - Term    1: will expand to     9 terms: Name "permit-ntp"
        - Term    2: will expand to     1 term : Name "discard-ntp"
        - Term    3: will expand to    21 terms: Name "permit-ssh"
        - Term    4: will expand to     1 term : Name "discard-ssh"
        - Term    5: will expand to    21 terms: Name "permit-netconf"
        - Term    6: will expand to     1 term : Name "discard-netconf"
        - Term    7: will expand to    13 terms: Name "permit-snmp"
        - Term    8: will expand to     1 term : Name "discard-snmp"
        - Term    9: will expand to     4 terms: Name "allow-dhcp"
        - Term   10: will expand to    39 terms: Name "allow-udp-source"
        - Term   11: will expand to     1 term : Name "discard-udp"
        - Term   12: will expand to     1 term : Name "discard-telnet"
        - Term   13: will expand to     1 term : Name "accept"
      + Term TCAM entry requirements:
        - Term    1: needs    27 TCAM entries: Name "permit-ntp"
        - Term    2: needs     3 TCAM entries: Name "discard-ntp"
        - Term    3: needs    63 TCAM entries: Name "permit-ssh"
        - Term    4: needs     3 TCAM entries: Name "discard-ssh"
        - Term    5: needs    63 TCAM entries: Name "permit-netconf"
        - Term    6: needs     3 TCAM entries: Name "discard-netconf"
        - Term    7: needs    39 TCAM entries: Name "permit-snmp"
        - Term    8: needs     3 TCAM entries: Name "discard-snmp"
        - Term    9: needs    12 TCAM entries: Name "allow-dhcp"
        - Term   10: needs   117 TCAM entries: Name "allow-udp-source"
        - Term   11: needs     3 TCAM entries: Name "discard-udp"
        - Term   12: needs     3 TCAM entries: Name "discard-telnet"
        - Term   13: needs     3 TCAM entries: Name "accept"
      + Total TCAM entries available: 1792
      + Total TCAM entries installed  : 342
    
     Total hardware instances: 1
    

    Interesting enough, on the non-functioning ex4300, I get this output whenever I try to commit changes to the firewall filter:

    Message from syslogd@[snip] at Mar 29 17:18:01  ...
    [snip] pfex: DFWE DFW: Cannot program filter loopback (type IRACL_LO) - TCAM has 135 free entries and the filter requires 342 free entries
    
    Message from syslogd@[snip] at Mar 29 17:18:01  ...
    [snip] fpc0 DFWE DFW: Cannot program filter loopback (type IRACL_LO) - TCAM has 135 free entries and the filter requires 342 free entries

    I've tried completely deleting the firewall filters and committing, rollback, removing the loopback filter on the interface and re-applying, but no dice.  Anyone have similar experiences or can steer me in the right direction?



    ------------------------------
    dandyrandy dandyrandy
    ------------------------------