In a recent project, I had the opportunity to work with something "new" yet familiar. During a customer data center (DC) refresh project, one of the key tasks was upgrading their aging Nexus 5000 to the new Nexus 9000 series. The model in play? The N93360YC-FX2, a powerhouse with enhanced capabilities but with a few nuances.
At first glance, porting over configurations from the N5K seemed straightforward—no need for FCoE or zoning configurations in the new setup. However, a surprise came up: while copying over the configurations, I encountered an error related to TCAM, specifically that the "vacl region is not configured." This caused an unexpected result:
vPC was up, but no active VLANs appeared on the trunk.
Interface trunk showed “error disabled” for all VLANs.
After some research and input from my Cisco Champion network, it became clear that the Nexus 9000 requires specific TCAM vacl regions for:
An ACL within a VLAN map
An ACL under a port channel for HSRP filtering
What is TCAM?
Ternary Content Addressable Memory (TCAM) is specialized memory in network devices designed for high-speed searching, particularly suited for ACLs, QoS, and route lookups. TCAM allows for matching "ternary" states—0, 1, and “don’t care”—making it especially effective for complex packet filtering and policy enforcement. You can read more about TCAM on Cisco's website: Understanding TCAM in Cisco Nexus 9000.
In the N93360YC-FX2, the default TCAM region hadn’t allocated space for the vacl region, causing the configuration error and resulting trunk issues.
The Fix: Reconfigure TCAM Regions
To resolve this, I needed to reallocate TCAM space by specifying sizes for each required region. Here’s what worked:
switch(config)# hardware access-list tcam region egr-racl 1280
switch(config)# hardware access-list tcam region ing-racl 2048(Reboot required)
switch(config)# hardware access-list tcam region vacl 256(Reboot required)
This change fixed the configuration error and restored normal trunk functionality.
Proactive Monitoring with iCAM
Although the above fix was confirmed by a Cisco TAC engineer, I wondered if there was a way to proactively monitor TCAM usage to avoid similar issues in the future. That’s when I was introduced to iCAM.
Enabling iCAM provides real-time monitoring of TCAM utilization in NX-OS, allowing administrators to track TCAM entries proactively. Here’s how to enable it:
switch(config)# feature icam
switch(config)# icam monitor scaleiCAM is new to me, but I’ve enabled it in the production environment and look forward to seeing its impact on TCAM management. I’ll certainly provide updates on how this tool performs over time.
Nov 2024
Comentarios