Date created: Monday, September 9, 2024 8:52:48 AM. Last modified: Tuesday, October 1, 2024 5:22:09 PM
TCAM Profiles
References
https://www.arista.com/en/support/toi/tcam-profile
https://www.arista.com/en/support/toi/user-defined-tcam-profiles-toi
https://www.arista.com/en/support/toi/eos-4-26-0f/14755-user-defined-tcam-profiles
https://www.arista.com/en/support/toi/eos-4-20-5f/14022-tcam-reservation-on-sand
https://www.arista.com/en/solutions/flexroute-engine-ip-forwarding
https://www.arista.com/en/support/toi/eos-4-27-2f/15092-optimized-ipv4-route-scale-with-8-to-1-compression
https://www.arista.com/en/support/toi/eos-4-21-3f/14164-fib-compression
Routing and Forwarding Scale (TCAM vs MDB Profiles)
Arista forwarding plane resources are split into two sections:
- The Modular Database (MDB), which is not user customisable
- The TCAM profile, which is user customisable
An MDB profile is configured by default and can be changed only to one of the presets in EOS. Users can't create their own MDB profiles. These profiles control the allocation of forwarding resources for base features like IPv4/6 routing, MAC learning ACL entries etc. The profiles allocate a static amount of forwarding resources for these features.
Example using the l3-xxxl MDB profile:
7280R3#show platform sand mdb profile detail
System profile: l3-xxxl
FAP FAP Type Profile
---------- ---------------- --------------
Fap0 Jericho2B1 arista-l3-xxxl
The fixed forwarding resources which are carved up by the MDB profile can be seen in the output of the CLI command "show hardware capacity" (all entries except those starting with "TCAM").
EOS Flex-Route is a configurable option from Arista to increase IP FIB capacity if needed. Flex-Route if required needs to be enabled in the TCAM profile, and uses additional TCAM banks to store forwarding data.
Another option available to increase the FIB size is to enable FIB Compression.
TCAM profiles allows an operator to allocate the limited TCAM resources to optional features, based on the operators feature requirements i.e., no TCAM banks are allocated for features which the operator doesn't need. The TCAM space is dynamically allocated based on the TCAM profile, which is different to the space allocated by the MDB profile which allocates a fixed/static amount of resources.
The TCAM profile states how many resources are required for a specific feature, but the resources are not allocated for that feature until it is actually used. Also, as a feature uses more resources, more TCAM banks will be dynamically allocated for that feature, based on the definition in the TCAM profile.
The configurable forwarding resources which are carved up by defining a custom TCAM profile can be seen in the output of the CLI command "show hardware capacity" (all entries which start with "TCAM").
7280R3 TCAM
The 7280R3 series routers have 16x 160 bit wide TCAM banks. Router features require TCAM space. A bank can be used for a single feature only.
If a feature has to match a source and destination IPv4 address for example, that is 64 bits. That will fit into a single TCAM bank because they are 160 bits wide. Therefore, a single TCAM bank can be allocated for that feature. If a source and destination IPv6 address both have to be matched for a specific feature, that feature will require 2x 160 bit TCAM banks. Most IPv4 features use a single 160 bit TCAM bank and all IPv6 features use two banks.
EOS does support allocating 80 bits to a feature (if say, it only has to match an MPLS label), meaning a TCAM bank can be split and used for two separate features with a smaller number of bits required. EOS allows for 80 bits, 160 bits, or 320 bits to be allocated for a feature (half a bank, 1 bank, or 2 banks), no other sizes, and no custom sizes.
The first 12 TCAM banks store 2048x 160 bit entries, and the last 4 TCAM banks store only 256x 160 bit entries. However, allocating 1x 160 bit TCAM bank for an IPv4 feature for example, doesn't guarantee 2048 entries for that feature. Equally, allocating 2x 160 bit banks for an IPv6 feature doesn't guarantee 2048 entries for that feature. The reason for this is that features which use TCAM space can use two different methods to squeeze data into the TCAM, they can spread data over multiple entries either "vertical scaling" or multiple banks "horizontal scaling" (not official Arista terms!).
For example, let's consider a single IPv4 FlowSpec rule. If all the data required for matching packet headers fits into 160-bits, then it would use a single TCAM entry in a single TCAM bank. Let's pretend that a matched packet may have one of four possible actions applied to it, and only two actions can be encoded in a single TCAM entry. In this case, the same FlowSpec rule will be programmed twice, using two entries in a TCAM bank, one entry maps to actions 1 & 2, the other entry maps to actions 3 & 4. This is "vertical" scaling (using multiple rows/entries in a bank). As a result a single FlowSpec rule has used two TCAM entries. "horizontal" scaling then, would be the case where 160-bits isn't enough space to match all the packet header options and two TCAM banks have to be used to store up to 320-bits of header matching data. This results in a single FlowSpec rule being split across an entry in TCAM bank 1 and an entry in TCAM bank 2. In this case we can still get 2048 entries per bank, but we're using twice as many banks. And just for fun, TCAM features can employ both horizontal and vertically scaling techniques at the same time, if the feature is sufficiently complex and needs to store a lot of data. In this case two entries are used in each TCAM bank meaning four TCAM entries in total. An example of this can be seen in the output "show platform fap acl tcam hw bank" when complex features like Flowspec are configured and complex rules have been configured (that match a range of ports for example).
When a TCAM bank becomes full, if there are free unallocated TCAM banks, a free bank will be allocated to a feature as it requests additional TCAM entires. TCAM profiles describe how TCAM banks should be allocated when they are needed. TCAM banks are allocated and released dynamically as usage increases and decreases. This means that TCAM profiles can oversubscribe TCAM resources, because usage is demand based. Even when 320-bits of TCAM space are allocated for a feature in a TCAM profile, if the feature only needs 160-bits of space, then only one TCAM bank will be used by that feature. This means it's quite difficult to tell from a TCAM profile, how much TCAM space the features on a router will use.
In addition to the 16x TCAM banks used for matching traffic, there are 32x TCAM banks used for then storing the action to be taken against the matched traffic. The first 24 action banks store 2048x 32-bit entries. The last 8 action banks store 256x 32-bit entries.
When a key size of 80 bits is allocated for a feature, 1x action bank is allocated for the feature to store the actions for that traffic. When a key size of 160 bits is allocate for a feature, 2x action banks are allocated for that feature (giving 64 bits for the action). When a key size of 320 bits is allocated for a feature, 4x action banks are allocated for that feature (giving 128 bits for the action). This means that some features may need to be configured to use 320-bits/2 Banks, because they require more actions (even though the key fields fit in 80 or 160 bits of space).
Key Size Limit
Note that when configuring TCAM features on EOS, by default 2x 160bit TCAM banks are allocated for the feature. This is fine for IPv6. For IPv4 only 1x 160bit TCAM bank is needed (most of the time, sometimes only 80 bits are needed). Therefore, IPv4 features are often explicitly configured with key size limit 160. This stops a feature from using more TCAM banks than expected, but if that extra space was needed, it could stop the feature from working at all. Without "key size limit 160" 2x 160bit TCAM banks can be allocated for an IPv4 feature, but will only be allocated if needed. This is also why it is best practice to specify no key size for IPv6 features, because they default to 320 bits.
Priority
TCAM features have a configurable priority. If Flowspec is active on an interface and a traffic policy, and they both have rules in TCAM which match an incoming packet, one needs to be chosen to decide which action to take. If any feature has a drop action, this take absolute priority, if there are no drop actions, then the action from the highest matching feature (i.e., Flowspec or Traffic-Policy or Policer or ACL) is performed.
Below the priority of all TCAM features can be see, the features which are enabled in the running TCAM policy are listed at the top, unused features are listed below in priority order (here, the default priority of the configured features hasn't been changed):
7280R3#show platform fap tcam action-priority TCAM Database Action Priority (Fap0) Database Active Default ----------------------------------------------- -------------- -------- dbEgressIpAcl 805 805 dbTrafficPolicyIp6Egress 515 515 dbTrafficPolicyIp4Egress 510 510 dbDirectExtractionPmf3 505 505 dbOamNoSysHeader 495 495 dbTrafficPolicyIp6 200 200 dbTrafficPolicyIp4 195 195 dbEvpnMplsEsiFiltering 190 190 dbL2ProtocolFwd 185 185 dbEvpnMplsEsiLocalToRemote 180 180 dbDirectExtractionPmf1 170 170 dbMplsFemDirectExtraction 165 165 dbFlowspecIp6 80 80 dbEvpnMplsBridging 51 51 dbTunnelTermination 45 45 dbFlowspecIp 40 40 dbVxlanVarp 35 35 dbMplsSystem 25 25 dbIpMirror 15 15 -------- -------- -------- dbEgressIp6Racl - 830 dbEgressIp6Pacl - 825 dbEgressVxlanDrop - 820 dbEgressRfc2544 - 815 dbEgressMacAcl - 810 dbEgressMirrorCongestion - 800 dbOam - 495 dbSegmentSecurityIp6 - 235 dbSegmentSecurityIp4 - 230 dbIp6PostcardPolicy - 225 dbIp4SampledFlowTracking - 220 dbIpPostcardPolicy - 215 dbIp6CpuTrafficPolicy - 210 dbIpCpuTrafficPolicy - 205 dbSflowFilteredSampling - 205 dbTrafficPolicyIp6VlanInterface - 194 dbTrafficPolicyIp4VlanInterface - 193 dbFlow - 175 dbDirectExtractionPmf1Srv6 - 170 dbDirectExtractionPmf3Srv6 - 169 dbIpTcpMss - 166 dbHashingReplacementIpv4 - 164 dbHashingReplacementIpv4Null - 163 dbHashingReplacementIpv6High - 162 dbHashingReplacementIpv6Low - 161 dbMacQos - 160 dbMacMirror - 155 dbTapTunnelTermination - 150 dbIp6TapAgg - 145 dbIpTapAgg - 140 dbMacTapAgg - 135 dbVniLookup - 131 dbIpTunnelIntfPbr - 131 dbMplsPbr - 130 dbIp6Pbr - 125 dbIpPbr - 120 dbIp6Qos - 115 dbEgressIp6SharedAcl - 110 dbTapPort - 105 dbIp6Mirror - 100 dbIpTunnelIntfAcl - 95 dbIpPacl - 85 dbCbf - 75 dbIpRacl - 70 dbIp6Pacl - 65 dbIp6Racl - 60 dbIpQos - 50 dbVxlanMultihomingMcast - 45 dbVxlanFemDirectExtraction - 45 dbVxlanVarp6 - 36 dbMacPacl - 30 dbIp6VrfSelection - 1 dbPvlan - 1 dbUrpfLookupVrf - 1 dbIpv4TtBasic - 1 dbDirectExtractionPmf1StormControlSubIntf - 0 dbDirectExtractionSetDscp - 0 dbDirectExtractionSetUnderlaySysInLif - 0 dbDirectExtractionPmf1GroupPolicer - 0 dbDirectExtractionPmf1IntfPolicingCounter - 0 dbDirectExtractionSetEcn - 0 dbSecondaryVrfDestDirectExtraction - 0 dbDirectExtractionPmf1SubintfSflow - 0
TCAM Usage
The TCAM profile states how many resources are required for a specific feature, but the resources are not allocated for that feature until it is actually used. Also, as a feature uses more resources, more TCAM banks will be dynamically allocated for that feature, based on the definition in the TCAM profile.
Example output is shown below from a lab 7280R3. It can be seen that 28 TCAM banks worth of features are configured in the profile:
7280R3#show hardware tcam profile XXXX detail | inc Key size Key size: 160 Key size: 160 Key size: 320 Key size: 160 Key size: 160 Key size: 160 Key size: 320 Key size: 320 Key size: 320 Key size: 160 Key size: 320 Key size: 320 Key size: 160 Key size: 320 Key size: 320 Key size: 320 Key size: 160 Key size: 320
However, the device only has 16 TCAM banks.
One can see which banks are used in the command output below:
7280R3#show platform fap tcam summary Tcam Allocation (Fap0) Bank Used By Reserved By ---------- -------------------------------- ----------- 0 dbEvpnMplsEsiFiltering - 1 dbEvpnMplsEsiLocalToRemote - 1 dbEvpnMplsBridging - 2 dbIpv6MpTtBasic - 3 dbTrafficPolicyIp4 - 3 dbTrafficPolicyIp6 - 4 dbTrafficPolicyIp4Egress - 4 dbTrafficPolicyIp6Egress - 5 dbL2ProtocolFwd - 12 dbSystem - 12 dbSystem6 - 12 dbMplsSystem - 13 dbEgressOlp - 15 dbMacSystem - 15 dbTunnelTermination -
Banks 0, 1, 2, 3, 4, 5, 12, 13, and 15 are used, meaning banks 6, 7, 8, 9, 10, 11, and 14 are free. One can also see that some features are sharing a TCAM banks.
Previous page: EVPN ARP / NDP Proxy Suppression
Next page: Local Route Leaking Agent