I have Cisco Nexus C9396PX L3 switch and i have configured bunch of ACL (inbound) on it to deny/permit traffic. now if i am trying to add more ACL then getting error that your TCAM table is full. here is the output of tcam
If you noticed line Ingress IPv4 RACL 259 253 50.59 It is for L3 ACL and reach to 50% utilization but still i have 50% free so why i am not able to add more rules? one thing i noticed its Ingress so may be possible i used up all Ingress entries and now whatever else which is for egress.. am i right?
Let's say i am not using any L2 function on switch and want to give VACL tcam size to RACL does that possible?
swt-c9396PX# show hardware access-list resource utilization
slot 1
=======
INSTANCE 0x0
-------------
ACL Hardware Resource Utilization (Mod 1)
----------------------------------------------------------
Used Free Percent
Utilization
-------------------------------------------------------------------
Ingress IPv4 PACL 3 509 0.59
Ingress IPv4 Port QoS 4 252 1.56
Ingress IPv4 VACL 2 510 0.39
Ingress IPv4 RACL 259 253 50.59
Egress IPv4 VACL 3 509 0.59
Egress IPv4 RACL 3 253 1.17
SUP COPP 205 51 80.08
SUP COPP Reason Code TCAM 6 122 4.69
Redirect 2 510 0.39
VPC Convergence 1 255 0.39
sFlow Northstar ACL 0 256 0.00
LOU 2 22 8.33
Both LOU Operands 2
Single LOU Operands 0
LOU L4 src port: 1
LOU L4 dst port: 1
LOU L3 packet len: 0
LOU IP tos: 0
LOU IP dscp: 0
LOU ip precedence: 0
LOU ip TTL: 0
TCP Flags 0 16 0.00
Protocol CAM 2 244 0.81
Mac Etype/Proto CAM 0 14 0.00
L4 op labels, Tcam 0 0 1023 0.00
L4 op labels, Tcam 2 1 62 1.58
L4 op labels, Tcam 6 0 2047 0.00
Ingress Dest info table 0 512 0.00
Egress Dest info table 0 512 0.00
INSTANCE 0x1
-------------
ACL Hardware Resource Utilization (Mod 1)
----------------------------------------------------------
Used Free Percent
Utilization
-------------------------------------------------------------------
Ingress NS IPv4 Port QoS 1 255 0.39
Ingress NS IPv4 L3 QoS 1 255 0.39
Ingress NS IPv4 VLAN QoS 1 255 0.39
LOU 0 24 0.00
Both LOU Operands 0
Single LOU Operands 0
LOU L4 src port: 0
LOU L4 dst port: 0
LOU L3 packet len: 0
LOU IP tos: 0
LOU IP dscp: 0
LOU ip precedence: 0
LOU ip TTL: 0
TCP Flags 0 16 0.00
Protocol CAM 0 246 0.00
Mac Etype/Proto CAM 0 14 0.00
Best Answer
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_01010.html#concept_945210FB9986499285C6A00065105AC9
(Quote from documentation) Atomic ACL Updates
By default, when a supervisor module of a Cisco Nexus 9000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to; however, an atomic update requires that an I/O module that receives an ACL update has enough available resources to store each updated ACL entry in addition to all pre-existing entries in the affected ACL. After the update occurs, the additional resources used for the update are freed. If the I/O module lacks the required resources, the device generates an error message and the ACL update to the I/O module fails. If an I/O module lacks the resources required for an atomic update, you can disable atomic updates by using the no hardware access-list update atomic command; however, during the brief time required for the device to remove the preexisting ACL and implement the updated ACL, traffic that the ACL applies to is dropped by default. If you want to permit all traffic that an ACL applies to while it receives a nonatomic update, use the hardware access-list update default-result permit command.
Paraphrasing: if you have one ACL on a Nexus which uses 51% of your TCAMS, you cannot update it without turning off atomic update because that would require 102% of your TCAMS.