Posted on August 7, 2020 7:56 pm
 |  Asked by JOONHWAN CHO
Print Friendly, PDF & Email

I want to know about  IFP Slice allocation rules.

I  have done show hardware capacity but some slice has been used 100% and some slice has been used 0%. so i want to share it. I think that ipv4 allocates some slice, ipv6 allocates some slice.


In my customer sites, there are many ACL, PBR. There is exceed a capacity now So, I can’t add anymore entry of ip access-list.

I have to optimize ACL, PBR  LIST because  it can’t add it.

Could you please explain how to  optimize it?

Please refer to attachment.

In advance , Thanks.






IFP Linecard0/0 5396 54% 4588 0 9984 5928
IFP Slice-0 Linecard0/0 94 12% 674 0 768 94
IFP Slice-1 Linecard0/0 226 29% 542 0 768 226
IFP Slice-10 Linecard0/0 598 77% 170 0 768 768
IFP Slice-11 Linecard0/0 598 77% 170 0 768 768
IFP Slice-2 Linecard0/0 226 29% 542 0 768 226
IFP Slice-3 Linecard0/0 6 0% 762 0 768 8
IFP Slice-4 Linecard0/0 768 100% 0 0 768 768
IFP Slice-5 Linecard0/0 768 100% 0 0 768 768
IFP Slice-6 Linecard0/0 757 98% 11 0 768 768
IFP Slice-7 Linecard0/0 757 98% 11 0 768 768
IFP Slice-8 Linecard0/0 0 0% 1536 0 1536 0
IFP Slice-9 Linecard0/0 598 77% 170 0 768 768
IM_MTP Linecard0/0 0 0% 4 0 4 1

Posted by Alexis Dacquay
Answered on August 11, 2020 11:10 am

Hi Joonhwan,

IFP is a part of the TCAM used for matching against network headers and take actions such as drop/forward/etc.

You can see how your IFP TCAM slices are used, you can check the "show platform trident tcam summary" output.

Your "show tech-support" output already includes "show platform trident tcam", but it's a bit verbose. The summary ones gives you a nice summary.

It shows you what features employs what slices. The more complex the feature, the more slices it will use. For example some complex ACL (e.g. both src+dst, both Layer3+Layer4) will use more slices than simpler ACL (e.g. just source Layer3), because the rules has to match against more parts in the header, so it consumes more hardware resources.


Extract from your show tech-support; it is quite full for IPv4 PBR:


TCAM group 31 in PIPE 0 uses 1525 entries and can use up to 11 more.
IP PBR uses 1525 entries.


TCAM group 32 in PIPE 0 uses 598 entries and can use up to 170 more.
IP6 PBR uses 598 entries.







Posted by jaxk Panther
Answered on August 12, 2020 6:10 am

Hi Alexis
Then it means one ACL cans utilized several slices?

Posted by Alexis Dacquay
Answered on August 12, 2020 9:39 pm


It must.

An ACL, even in its simplest form, will need to have a src and dest, it will require several slices WIDTH to match several parameters in a simple ACL entry.

The more complex the ACL or feature rules, the more slices the feature will consume.


However, one ACL that fills up completely its slices might or might not be able to overflow onto some other available slices. This depends on whether the hardware (network processor and its hardware tables) support it or not.

Some support overflowing once onto another slices, making it a total length of 2 slices-long

I cannot recall exactly for the 7050X3-series, but check your logs, if you do have warnings that the resources are full and cannot program everything in, then that is your current limit.





Posted by Aniket Bhowmick
Answered on August 13, 2020 7:35 am

Hi Joonhwan,

To help you understand a bit better:

On the 7050CX3 platform, there are a total of 12 IFP Slices. Each Slice has a width of 160 bits and can hold 9216 entries (depth).

The Slices are physically arranged in 4 clusters of 3 slices each in HW: [0,1,2], [3,4,5], [6,7,8], [9,10,11]

If a feature needs (like IPv4 ACL) needs to program ACLs which needs a width more than 160 bits, it can horizontally chain two Slices together to form one logical Slice. Example: Slice 0 and Slice 1 can be horizontally chained to make a logical slice which will have a width of 320 bits and depth 9210. Or Slice 0 and Slice 1 can be vertically chained to have a width of 160 bits and depth of 18420

But Slice 2 cannot be chained with Slice3, Slice 5 cannot chain with Slice 6 and Slice 8 cannot chain with Slice 9 due to the physical arrangement.

Now, depending on the requirement of the features, Slices can be chained either vertically and horizontally. Once two or more slices are chained, it is known as a "group". The group is the logical slice

Just from the show tech we cannot determine which slices have been chained.

However, the reason why some slices in the IFP shows as 0% utilised is probably because it is just an used Slice- not part of any group and not being utilised by any feature. But if required, some feature may reserve that slice and then it won't be 0% utilised.

We cannot determine how slices will be grouped (chained) and it is completely dynamic (depends on how the features wants to program the rules and what slices are available). In fact if you reload it, the programming will change and the slices which was reserved by feature-A can be reserved by feature-B

One way you can optimise your TCAM is by reducing the ACL rules for hosts (/32) and rather program a more abstract rule. For example:

Below is a ACL in your show tech

ip access-list IPv4_UPF_1_XFF
counters per-entry
10 permit ip any host
20 permit ip any host
30 permit ip any host
40 permit ip any host
50 permit ip any host
60 permit ip any host
70 permit ip any host
80 permit ip any host
90 permit ip any host
100 permit ip any host
110 permit ip any host
120 permit ip any host
130 permit ip any host
140 permit ip any host

You can see there is a lot of host based rules (/32). Each host consumes some resources. Instead, you can group all these hosts under one common subnet. For example

You can remove the rules 10,20,30 and have a single rule as:

10 permit ip any host

^ this will cover all the hosts that were present in rule 10,20,30 and have a single rule, which will in turn save some space in the IFP. Same thing can be done for other hosts as well to save more space

Above was just an example and you can plan out how to  utilise it even better according to your needs.

Let us know if you have any further query.



Post your Answer

You must be logged in to post an answer.