User-Defined TCAM Keys for IPv4 and IPv6
Access-lists on the Cisco NCS 540 Series Routers use a TCAM (internal and external) to perform the lookup and action resolution on each packet. The TCAM is a valuable and constrained resource in hardware, which must be shared by multiple features. Therefore, the space (key width) available for these key definitions is also constrained. A key definition specifies which qualifier and action fields are available to the ACL feature when performing the lookup. Not all available qualifier and action fields can be included in each key definition.
The key definitions are specific to a given ACL type, which can depend on the following attributes of the access-list:
-
Direction of attachment, whether ingress or egress
-
Protocol type (IPv4/IPv6/L2)
-
Compression level (0:uncompressed, 3:compressed)
Because the default key definitions are constrained (do not include all qualifier/action fields), User-Defined Key (UDK) definitions are supported for the following types:
-
Traditional Ingress IPv4 ACL (uncompressed)
-
Traditional Ingress IPv6 ACL (uncompressed)
The User-Defined TCAM Key (UDK) functionality provides the flexibility to define your own TCAM key for one of the three possible reasons (for ingress, traditional, IPv4/IPv6 ACL only):
-
To include qualifier fields which are not included in the default TCAM key
-
To change the ACL mode from shared to unique to support a greater number of unique ACLs, unique counters, etc.
-
To reduce the size of the TCAM key (number of banks consumed)
A UDK can be configured using the following command:
hw-module profile tcam format access-list [ipv4 | ipv6] qualifiers [location rack/slot/cpu0]
This hw-module configuration will require reload of the chassis. If you want to use common ACL when a UDK is configured, you can add the common-acl
option to the UDK.
User-Defined Fields
A TCAM key consists of several qualifiers, where the set of qualifiers are used to filter packets for a given ACL. The User-Defined Field (UDF) allows you to define a custom qualifier by specifying the location and size of the field, using the following UDF command:
Note |
|
udf udf-name header [ inner | outer ] [ l2 | l3 | l4 ] offset byte-offset length no of bytes
The UDF can then be added to a UDK as follows.
hw-module profile tcam format access-list [ipv4 | ipv6] qualifiers [udf1 udf-name udf2 udf-name] [location rack/slot/cpu0]
IPv4 and IPv6 Key Formats for Traditional Ingress ACL
User-defined TCAM key (UDK) definition is supported for ingress, traditional (uncompressed) IPv4 and IPv6 ACLs.
The following table shows the qualifier fields that are supported in the IPv4 and IPv6 key formats. If the default TCAM key is set as Enabled, then the Qualifier field is enabled by default. If the default TCAM key is set as Disabled, then the Qualifier field must use a UDK.
Parameter |
Default TCAM Key |
|
---|---|---|
IPv4 |
IPv6 |
|
Source Address |
Enabled |
Enabled |
Destination Address |
Enabled |
Enabled |
Source Port |
Enabled |
Enabled |
Destination Port |
Enabled |
Enabled |
Port Range |
Enabled |
Not supported |
Protocol/Next Header |
Enabled |
Enabled |
Fragment bit |
Enabled |
Not supported |
Packet length |
Disabled |
Disabled |
Precedence/DSCP |
Disabled |
Enabled |
TCP Flags |
Enabled |
Enabled |
TTL Match |
Disabled |
Disabled |
Interface based |
Disabled |
Not supported |
UDF 1-7 |
Disabled |
Disabled |
ACL ID |
Enabled |
Enabled |
common ACL bit |
Enabled by default for IPv4/IPv6 on shared mode. Disabled by default for IPv4/IPv6 on unique mode. |
Enabled by default for IPv4/IPv6 on shared mode. Disabled by default for IPv4/IPv6 on unique mode. |
Interface-based (RIF) |
Disabled |
Disabled |
The following table shows the action fields supported in the IPv4 and IPv6 key formats.
Note |
You cannot configure QoS groups for ingress ACLs after a User-Defined TCAM Key (UDK) is configured because the command, permit ipv4 any any set qos-group, is not supported. |
Parameter |
Default Action Field |
|
---|---|---|
IPv4 |
IPv6 |
|
Permit |
Enabled |
Enabled |
Deny |
Enabled |
Enabled |
Log |
Enabled |
Enabled |
Capture |
Enabled |
Enabled |
Stats Counter |
Deny stats is always Enabled (permit stats has its own hw-module command) |
Deny stats is always Enabled |
TTL Set |
Enabled |
Enabled |
To enable the monitoring of the packet count that is permitted based on the ACL rules, use the following configuration, and then reload the line card or router as required:
/* Enable permit statistics for the egress ACL (by default, only deny statistics are shown) */
Router(config)# hw-module profile stats acl-permit
Router(config)# commit
Router(config)# end
Router# reload location all
Wed Apr 5 23:05:46.193 UTC
Proceed with reload? [confirm]