On the 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, and 7210 SAS-K 3SFP+ 8C, resources must be allocated among SAP ingress QoS and ingress ACLs. Users do not need to further allocate resources individually for MAC and IPv4 or IPv6 criteria.
The qos-sap-ingress-resource and acl-sap ingress commands under the system>resource-profile>ingress-internal-tcam context allocate resources to ingress QoS and ingress ACLs:
On the 7210 SAS-D and 7210 SAS-Dxp, resources are allocated in slices with 256 entries per slice.
On the 7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T, resources are allocated with 510 entries per slice.
On the 7210 SAS-K 3SFP+ 8C, resources are allocated with 192 entries per slice.
The acl-sap egress command in the system>resource-profile>egress-internal-tcam context allocates resources to egress ACLs:
On the 7210 SAS-D and 7210 SAS-Dxp, resources are allocated in slices with 128 entries per slice.
On the 7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T, resources are allocated with 510 entries per slice.
On the 7210 SAS-K 3SFP+ 8C, resources are allocated with 180 entries per slice.
config> system> resource-profile...
...
acl-sap-ingress 3
mac-match-enable max
ipv4-match-enable 1
no ipv6_128-ipv4-match-enable
no ipv6_64-only-match-enable
exit
...
In the preceding CLI example, the system performs the following actions:
3 chunks are allocated for use by the SAP ingress ACL entries.
1 chunk is allocated for use by SAP ingress ACL entries that use ipv4-criteria. The system fails the configuration when the number of ACL entries using ipv4-criteria exceeds the configured limit (that is, the system does not allocate in excess of the configured limit of 1 chunk).
A chunk is allocated for use by SAP ingress ACL entries that use mac-criteria. After the max keyword is specified, the system allocates 1 chunk for use when an ingress ACL policy (with mac-criteria entries defined) is associated with a SAP. The system can allocate up to 2 chunks because the max keyword is used. More chunks are allocated when the user configures a SAP that uses mac-criteria and all entries in the allocated chunks are used up. The system fails the configuration if the number of ACL entries with mac-criteria exceeds the limit of 2 chunks allocated to SAP ingress ACL match (that is, the system does not allocate in excess of the configured limit of 3; up to 2 chunks of the configured 3 chunk limit are allocated to mac-criteria and 1 chunk is allocated to ipv4-criteria).
The system fails a user attempt to use SAP ingress ACLs with IPv6 match criteria (and other combinations listed in the preceding list items), because the user has disabled these criteria.
config> system> resource-profile>ingress-internal-tcam>
...
acl-sap-ingress 3
mac-match-enable max
ipv4-match-enable 1
no ipv6_128-ipv4-match-enable
ipv6_64-only-match-enable max
exit
...
In the preceding CLI example, the system performs the following actions:
3 chunks are allocated for use by the SAP ingress ACL entries. These resources are available for use with mac-criteria, ipv4-criteria and ipv6-64-bit match criteria.
1 chunk is allocated for use by SAP ingress ACL entries that use ipv4-criteria. The system fails the configuration if the number of ACL entries using ipv4-criteria exceeds the configured limit (that is, the system does not allocate more than the configured limit of 1 chunk).
1 chunk is allocated for use by SAP ingress ACL entries that use mac-criteria when the user associates an ingress ACL policy (with mac-criteria entries defined) with a SAP. Because the max keyword is used, the system can allocate more chunks, if a chunk is available for use.
In this example, (assuming a SAP with an ingress ACL policy that uses ipv6-64-bit criteria is configured), as no additional chunks are available, mac-criteria cannot allocate more than 1 chunk (even if the max keyword is specified). The system fails the configuration if the number of ACL entries with mac-criteria exceeds the limit of 1 chunk allocated to SAP ingress ACL mac-criteria (that is, the system does not allocate more than the configured limit of 3 chunks = 1 for mac-criteria + for ipv4-criteria + 1 for ipv6-criteria).
A chunk is allocated for use by SAP ingress ACL entries that use ipv6-64-bit criteria when the user associates an ingress ACL policy (with ipv6-64-bit-criteria entries defined) with a SAP. Because the max keyword is specified, the system can allocate more chunks, if a chunk is available for use.
In this example, as there are no more chunks available, ipv6-64-bit criteria cannot allocate more than 1 chunk (even if the max keyword is specified). The system fails the configuration when the number of ACL entries with ipv6-64-bit criteria exceeds the limit of one chunk allocated to SAP ingress ACL match (that is, the system does not allocate more than the configured limit of 3 chunks = 1 for mac-criteria + 1 for ipv4-criteria + 1 for ipv6-64-bit criteria).
The system fails any attempt to use SAP ingress ACLs with ipv6-128 bit match criteria (and the other combinations listed above), because the user has disabled these criteria.
In Example 2, the user can run no ipv4-match-enable command to disable the use of ipv4-criteria. The system checks for SAPs that use ipv4-criteria and if found, fails the command; otherwise, the chunk freed for use with either mac-criteria or ipv6-64-bit criteria. The entire chunk is allocated to mac-criteria if the first SAP that needs resources requests for mac-criteria and no entries in the chunk are already allocated to mac-criteria, which leaves no resources for use by ipv6-64-bit criteria. In the same way, the entire chunk is allocated to ipv6-64-bit criteria, if the first SAP that needs resources requests for ipv6-64-bit criteria and no entries in the chunk are already allocated to ipv6-64-bit criteria, which leaves no resources for use by mac-criteria.