When the user allocates resources from the ingress CAM resource pool for use by filter policies using the configure>system>resource-profile CLI commands, the system allocates resources in chunks of fixed-size entries (for example, 256 entries per chunk on 7210 SAS-D).
The number of entries for each chunk or slice is different for both ingress-internal-tcam resource pool and egress-internal-tcam resource pool for different platforms.
The usage of these entries by different type of match criteria follows. In the following examples, it is assumed that a chunk/slice has 256 entries considering 7210 SAS-D. The example and the computation needs to be modified suitably for other platforms with different number of entries per chunk/slice.
mac-criteria
User needs to allocate resources for mac-criteria from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>mac-match-enable before using ingress ACLs with mac-criteria. Every entry configured in the filter policy using the mac-criteria uses one (1) entry from the chunks allocated for use by mac-criteria in the hardware.
For example: Assume a filter policy is configured with 50 entries and uses configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>mac-match-enable 1, the user configures one chunk for use by mac-criteria (allowing a total of 256 entries. one reserved for internal use entries for use by SAPs using filter policies that use mac-criteria). In this case, the user can have 5 SAPs using mac-criteria filter policy and consumes 250 entries.
ipv4-criteria
User needs to allocate resources for ip(v4)-criteria from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv4-match-enable before using ingress ACLs with ipv4-criteria. The resource usage per IPv4 match entry is same as the mac-criteria. Please check the preceding example. When created with use-ipv6-resource the resource usage is the same as IPv6 filters using ipv6-128-bit-addresses.
ipv6-criteria using ipv6-64-bit addresses
User needs to allocate resources for ipv6-criteria with 64-bit address match from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv6-64only-match-enable before using ingress ACLs with ipv6-criteria that use only IPv6 64-bit address for source and destination IPv6 addresses.
The IPv6 headers fields available for match is limited. Please see the following CLI description for filter for more information. The usage is same as the ipv4 and mac-criteria. An IPv6 128 bit address uses 2 entries from the chunk for every match entry configured in filter policy, whereas, an IP filter uses only one entry from the chunk for every entry configured.
ipv6-criteria using ipv6-128-bit addresses
User needs to allocate resources for ipv6-criteria with 128-bit address match from the filter resource pool by using the command configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv4-ipv6-128-match-enable before using ingress ACLs with ipv6-criteria that use only IPv6 128-bit address for source and destination IPv6 addresses. These resources can be shared by a policy that uses only IPv4 criteria entries. Every entry configured in the filter policy using the ipv6-criteria with 128-bit addresses uses two (2) entries from the chunks allocated for use by ipv6-criteria (128-bit) in the hardware.
For example: Assume a filter policy is configured with 50 entries and using configure>system>resource-profile>ingress-internal-tcam>acl-sap-ingress>ipv4-ipv6-128-match-enable 1, the user configures one chunk for use by ipv6-criteria with 128-bit addresses (allowing for a total of 128 entries for use by SAPs using filter policies that use this criteria). In this case, user can have five (5) SAPs using this filter policy and consumes 125 entries. When a chunk is allocated to IPv6 criteria, the software automatically adjusts the number of available entries in that chunk to 128, instead of 256, because 2 entries are needed to match IPv6 fields.
The users can use tools>dump>system-resources command to know the current usage and availability. For example: Though chunks are allocated in 256 entries, only 128 entries show up against filters using those of IPv6 128-bit addresses. One or more entries are reserved for system use and is not available for user.