Professional Documents
Culture Documents
CISCO CONFIDENTIAL
Introduction:
Features like QoS, PBR etc., enable user to provide better services to
certain flows. Similarly security features like ACL enables user to prevent
unauthorized flows from accessing services on the router. To provide
these services, the flow must first be identified. This procedure is known
as classification. The classification of a flow is usually done by matching
packet fields like match on source and/or destination ip addresses, L4 port
num, IP TOS bits etc. Classification can be implemented using memory
(like DRAM) but reading from RAM is very slow in datapath and can not
keep up with high rate of traffic. ASR1000 uses high speed TCAM4
device for this purpose.
Unlike in RAM (bit can have 0 or 1), there are three states for every bit of
data in TCAM. These are 0, 1 and don't care. To implement this, TCAM
uses two memory cells per bit.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 1 of 24
White Paper
CISCO CONFIDENTIAL
TCAM4:
• Fourth generation specification.
• Full-ternary addressable memory (1:1 ratio between data word &
mask word).
• Dynamically configurable widths of 80, 160 & 320 bit Keys
• Supports for 250M lookups per seconds on 80 & 160 bit Keys and
125M lookups per second for 320 bit keys.
• Available densities 5Mb, 10Mb, 20Mb and 40Mb.
ESP20:
There are two TCAMs of size 20Mb each.
These can be configured as
80 bit cells - 512K or
160 bit cells - 256K or
320 bit cells - 128K. or
Mix of any of the above sizes.
ASR1000 currently uses only 160 bit & 320 bit cells (does not
use 80 bit cell entries).
TCAM is divided into cell blocks. Each cell block contains 4K
80bit cells. TCAM cells will be allocated one cell block at a
time to 160bit or 320bit regions based on demand .
There is no pre-reservation/allocation of cells to any of these
regions. So, entire TCAM can be used for 160 bit keys or
320bit keys or mix of both.
ESP20 power limitation: Due to hw power limitation only
160K (80 bit) cells are allowed in single lookup on each of the
two TCAMs. That means no single policy can be bigger than
320K (80bit) cells on set of two TCAMs. Note: All 512K
(80bit) cells of these TCAMs can be used through multiple
policies.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 2 of 24
White Paper
CISCO CONFIDENTIAL
System flow:
Policy/ACL attach:
Control plane:
When user attaches an ACL or QOS policy (or any other policy) to
an interface, classification code does the following.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 3 of 24
White Paper
CISCO CONFIDENTIAL
vi. Stores the label & lookup key info into datapath structures.
DataPath:
If a policy or ACL is applied on an interface then for each packet coming
on that interface, datapath prepares TCAM lookup key using info in the
packet, label and then sends it to TCAM. If there is any match then TCAM
returns the corresponding result of that entry. Datapath takes necessary
action based on the result.
EX:
Suppose user attaches 10 ACLs to 10 different interfaces. The smallest
ACL occupies 100 (160 bit) TCAM entries and the largest ACL occupies
200 (160 bit) TCAM entries. In this scenario there should be > 200 (160
bit) free TCAM entries to allow edit operation on largest ACL.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 4 of 24
White Paper
CISCO CONFIDENTIAL
These are global tables. All ACLs/Policies configured on the router share
these tables. If two or more ACEs of different (or the same) ACLs uses the
same range then all these ACEs shares the same entries in the ARL table.
Each range takes one or two entries in the table. If the range is like < 50
then it takes one ARL entry because there is always a zero range entry in
the ARL table for lower limit. If the range has min & max values like min
20 max 100, then it takes 2 table entries.
Note: Single value like “eq 240” or range 240 240, does not use ARL
table. This value will be used as is in the TCAM entry.
ASR1000 first try to use ARL table entry for the ranges. For most of the
configurations, ranges fit into these tables. If it can not fit the range in
ARL table then it expands that ACE (or policy math rule) into multiple
entries. In this case single ACL ACE (or policy rule) uses multiple TCAM
entries. The number of these entries depends on the given range.
Case 1: If the “range 25 50” fits in the src port ARL table then there will
be only one entry in TCAM. This entry will be like (only fields required
for this discussion are shown here)
Note: mask ‘0’ means don’t care. Here, ARL id is used for the port range
not the port number itself. So src-port field in the TCAM entry will be
disabled by setting its mask to 0.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 5 of 24
White Paper
CISCO CONFIDENTIAL
Case 2: If the range 25 50 does not fit in the src port ARL table then this
ACE will be expanded into 6 TCAM entries (not 25 entries) using source
port prefix mask . These TCAM entry contents will be like.
Note: Here ARL ids are not used. So arl-id field is disabled by setting its
mask to 0.
Suggestion:
• If possible configure policies with most used ranges first.
• If user has prior knowledge of ranges used in their
policies/ACLs then they can create a small temporary policy
with most used ranges and apply this first to a dummy interface
(interface which is not used). ARL code receives all these
ranges at once. Code gets a chance to arrange these ranges in
optimal order into ARL table. Configuration which applied
later will share these entries. Users can keep or remove this
temporary policy after they loaded their production config.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 6 of 24
White Paper
CISCO CONFIDENTIAL
Show commands:
The commands provided in this section are unpublished and intended
for internal use only. The syntax and output format may change from
release to release without notification.
.
1) Command to display TCAM usage:
Example: on ESP10
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 7 of 24
White Paper
CISCO CONFIDENTIAL
Command:
sh platform hardware qfp active classification feature-manager arl
Example: on ESP10
Step 1:
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 8 of 24
White Paper
CISCO CONFIDENTIAL
For ACL:
MCP-1# sh platform software access-list F0 summary | inc range-test2
range-test2 17 1 1
MF-Classifier
class-group 0078EFD0 337AC32C N
Step 2:
Command: sh plat hard qfp act cla fea cla tcam [acl | cce]
<cg_id> interface <name> [input output] [brief | detail]
Note:
number of vmrs: TCAM entries used by this ACL.
Value size: Tells 160bit cell or 320 bit cell.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 9 of 24
White Paper
CISCO CONFIDENTIAL
Abstract
This tech note details the problem of Ternary Content Addressable Memory (TCAM) entry
explosion for traffic classification based on Access Control Lists (ACLs) containing
“DENY” criteria.
The most common algorithm for ACL based traffic classification in TCAM (known as
Platform Independent Ordered merge (POD)) uses recursion to deal with DENY criteria
and does not scale even for a modest number of classes and/or DENY criteria. Due to its
recursive nature, the required number of entries can easily exceed the capacity of TCAM
devices.
Introduction
Understanding the concept of deny-jump action is crucial for the understanding of the
problem of TCAM expansion and exhaustion
Traffic classification is one of the most basic functionalities found in routers and switches,
with more and more applications and features requiring the infrastructure devices to
provide these differentiated services for different users based on their quality
requirements, or features based on their classification requirements. Therefore, routers
need to have the capability to distinguish and classify traffic based on the matching
criteria provided. Traffic classification needs to meet some requirements for success,
such as speed, flexibility and scalability. The traffic classification process should be very
fast so that the throughput of router/switch should not be greatly degraded. The
implementation should be flexible enough to allow users to configure various matching
criteria to meet the demands from various applications. TCAM (Ternary content-
addressable-memory) has been widely used in high-speed router/switch because of its
high performance and deterministic lookup time. However, the number of TCAM entries
is limited.
On Cisco platforms, several features such as QoS, Policy-Based Routing, IPsec, Firewall,
etc. support classification based on Access Control Lists (ACLs), often allowing the
definition of different classes of traffic based on different ACLs. For the ASR1000 these
features make use of TCAM for these ACL classifications, unlike software platforms like
the ISR’s and 7200’s.
ACLs are basically lists of Access Control Entries (ACEs), each of which define network
matching criteria (e.g. L3 source and/or destination addresses, etc.) as well as a grant
attribute (PERMIT or DENY). Originally designed for traffic filtering purposes, ACLs
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 10 of 24
White Paper
CISCO CONFIDENTIAL
were later also used for traffic classification. The semantics of the grant attribute varies
depending on how the ACL is actually used.
When ACLs are used for filtering purposes, a match on a PERMIT entry means that the
packet is granted permission to be processed while a match on a DENY entry that the
packet must be dropped. However, when ACLs are used for classification, a match on a
PERMIT entry simply means that the packet belongs to the traffic class, while a match on
a DENY entry simply means that the packet does not belong to that class; the packet is
not dropped, and classification “jumps” to check the packet against the next class, if there
is one. This is an extremely important concept, as this deny-jump concept only exists
where there are multiple sequences in one classification policy. Some examples being a
QoS policy with multiple classes, each of which have a “mix” of deny and permit
statements where the deny is not the implicit deny. Likewise an IPSec crypto-map policy,
or a policy-routing policy with multiple sequences will use the same deny-jump concept.
The following example illustrates a hypothetical networking feature that defines classes
of traffic based on ACLs. We first define the ACLs themselves:
acl A
permit a1
deny a2
permit a3
acl B
permit b1
deny b2
permit b3
acl C
permit c1
deny c2
permit c3
Logically speaking, packets are compared against the ACLs sequentially, starting with
the first ACE in the first ACL, moving down until a matching PERMIT ACE is found.
When matching DENY entries are found, classification simply jumps to the following
class. In the example above, suppose a packet that matches criteria ‘a2’, ‘a3’ and ‘b1’.
The packets are first evaluated against ACL A. Because it matches entry “DENY a2”,
classification jumps to ACL B, and it is never compared to entry “PERMIT a3”. This
process is commonly referred to as deny-jump.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 11 of 24
White Paper
CISCO CONFIDENTIAL
On ACL B, the packet does match entry ‘PERMIT b1’ so it is deemed as belonging to
ACL B, which causes action-2 to be executed.
Many features support the concepts of default action, which is the action to be executed if
the packet does not match any of the defined ACLs.
Notice: we are using here ACL related terminology (ACLs, ACEs, PERMIT / DENY
attribute) for convenience purposes. On Cisco platforms, different features use different
ways to define the behaviors described above. For example, Cisco Common
Classification Policy Language (C3PL) based features, in addition to ACL based
classification, also support deny-jump behavior on class-maps through the ‘match not
<criteria>’ command; Policy Based Routing (PBR) supports similar behavior through the
‘deny’ keyword on entire route-maps, and so on.
Since TCAM lookups return the first matching entry, the “deny-jump” behavior is
obviously not directly implementable on TCAM. Some extra work is necessary to
eliminate the DENY entries for TCAM to handle the deny-jump behavior.
In several Cisco platforms such as C12K, C10K, Cat6K, ASR1K, ASR 9K and Nexus
x000 series, which utilize TCAM based classification, the handling of the deny-jump
behavior is handled by the Platform-independent Ordered Dependent merge (POD)
algorithm, explained in below.
The POD algorithm handles the deny-jumps by converting the DENY entries into
PERMIT ones using cross product. POD generates a new final list out of the original ones.
When it finds a DENY entry in a class, POD expands it to a list of entries by recursively
merging that DENY entry with all entries of all subsequent classes. In this expansion
process, when a PERMIT entry is found in a subsequent class, if there is some
intersection across the criteria of all entries to be merged, POD generates a new entry
using the action pointed to by the PERMIT entry; when a DENY entry is found, POD
recursively applies the same expansion logic to all subsequent classes. If no PERMIT is
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 12 of 24
White Paper
CISCO CONFIDENTIAL
found after checking the last subsequent class, a new entry is created to point to a default
action.
This process is illustrated below, using the example from the previous section. POD
would generate the following final list:
a1 => action-1
a2 & b1 => action-2
a2 & b2 & c1 => action-3
a2 & b2 & c2 => default-action
a2 & b2 & c3 => action-3
a2 & b2 => default-action
a2 & b3 => action-2
a2 & c1 => action-3
a2 & c2 => default-action
a2 & c3 => action-3
a2 => default-action
a3 => action-1
b1 => action-2
b2 & c1 => action-3
b2 & c2 => default-action
b2 & c3 => action-3
b2 => default-action
b3 => action-2
c1 => action-3
c2 => default-action
c3 => action-3
(Where: ‘&’ means a merge of entries criteria, and ‘=>’ means the action to be taken if a packet matches this entry.)
The main problem with this approach is that the recursive nature of the algorithm can
cause the required number of entries to “explode”. In theory, the number of created
entries would be , where is the average number of entries in each ACL and is
the number of lists. So the number of created entries would grow exponentially when
grows.
The number of TCAM entries may be exploded because of the deny entries in the
configuration. The total number of the final TCAM entries are heavily dependent on the
configuration, including the number of deny entries, and their positions in the
configuration.
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 13 of 24
White Paper
CISCO CONFIDENTIAL
Policy-map abc
Match Class A
Set prec 1
Match class B
Set prec 2
Match class C
Set prec 3
Class-map match-any A
match a1 (permit)
match not a2 (deny)
match a3 (permit)
class-map match-any B
match b1 (permit)
match b2 (permit)
class-map match-any C
match c1 (permit)
match not c2 (deny)
match c3 (permit)
Match a1
Match a2&b1
Match a2&b2
Match a2&c1
Match a2&c3
Match a3
Match b1
Match b2
Match c1
Match c3
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 14 of 24
White Paper
CISCO CONFIDENTIAL
The number of extra entries heavily depends on the number of deny statements, the
number of classes in the configuration as well as the position of the deny entries. In
general a deny, or multiple deny statements in a class further up the sequence will cause
this exponential TCAM expansion, so same ACL could not have any problem used in one
policy-map, but run out the TCAM in the other, because its position and the other classes
in the configuration are different.
This behavior is tracked by CSCsx16234, which can be realized by ASR 1000 customers
when they move from 7200 platforms to the ASR 1000. Original configuration works
fine on 7200, but cause TCAM exhaustion on the ASR1000.
Configuration Solutions/Workarounds.
The easiest way to avoid this TCAM expansion if one sees a configuration with
multiple sequences (e.g. multiple classes in a policy-map, or multiple crypto-map
entries) and deny statements above or intermingled with permit statements is to
attempt to rationalize the configuration to one using only permit statements and
rely on the implicit deny all. Or alternatively, mostly in QoS policies, configure a
separate class to first permit networks you want to deny and give them no
bandwidth (service)
QOS EXAMPLE:
In the QoS example it is the SAME network (deny statement) added to EVERY
ACL - the POSITION of this deny is critical - as this would incur the deny-jump
algorithm.
Problem Configuration:
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 15 of 24
White Paper
CISCO CONFIDENTIAL
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 16 of 24
White Paper
CISCO CONFIDENTIAL
A much cleaner configuration is to permit the specific networks you want to deny
and give them no bandwidth. This avoids the deny jump algorithm
Solution:
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 17 of 24
White Paper
CISCO CONFIDENTIAL
!
ip access-list extended acc-in
permit ip any 192.168.85.0 0.0.0.31
permit ip any 192.168.90.0 0.0.0.31
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 18 of 24
White Paper
CISCO CONFIDENTIAL
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 19 of 24
White Paper
CISCO CONFIDENTIAL
CRYPTO-MAP EXAMPLE:
Problem Configuration:
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 20 of 24
White Paper
CISCO CONFIDENTIAL
Solution Configuration:
The most appropriate solution is to define exactly what needs to be encrypted and
only permit this traffic in an ACL and let the implicit deny-all send the rest of the
traffic clear text.
From the example above, if the desired goal is to encrypt the GRE tunneled traffic
(GRE over IPSec) then the ACL can be modified to:
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 21 of 24
White Paper
CISCO CONFIDENTIAL
Another way to avoid using multiple crypto map statements in a sequenced order
is to simply collapse all the peers into one crypto-map and use one ACL to permit
peers
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 22 of 24
White Paper
CISCO CONFIDENTIAL
One final option is to move to the tunnel protection method of encryption – where
and IPSec profile is simply applied to each GRE tunnel and all traffic traversing
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 23 of 24
White Paper
CISCO CONFIDENTIAL
the tunnel is encrypted. This method does not rely on TCAM at all, as there are
no ACL’s defined to classify the traffic. One design note is that if you are using
GRE/IPSec with keep-alive then this is not supported when using tunnel
protections.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008
048cffc.shtml
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. Page 24 of 24