Security Hardening Calculators

Chapter 9 — Core Switch Security Hardening Design Guide

The following interactive calculators assist network security engineers in planning, sizing, and validating core switch security hardening deployments. Each calculator provides real-time results as inputs are adjusted, enabling rapid what-if analysis without manual computation. The five calculators cover the most common quantitative planning tasks: TCAM capacity planning, CoPP rate limit sizing, ACL entry budget estimation, hardening risk score assessment, and BGP prefix filter sizing.

TCAM Capacity Planner

Estimate total TCAM consumption across all security and forwarding features. Helps prevent TCAM exhaustion that silently disables security controls.

IPv4 Routes (FIB)

Full Internet table ≈ 900,000

IPv6 Routes (FIB)

IPv6 uses 2× TCAM vs IPv4

ARP / MAC Table Entries

ACL Entries (Total ACEs)

Each ACE uses 1–4 TCAM entries

DHCP Snooping Bindings

RPKI ROA Cache Entries

QoS / CoPP Policy Entries

Total TCAM Capacity (entries)

Check platform datasheet

TCAM Utilization Analysis

TCAM Utilization 0%

CoPP Rate Limit Sizer

Calculate recommended CoPP (Control Plane Policing) rate limits for each traffic class based on your network size and routing protocol scale. Prevents CPU exhaustion while allowing legitimate control traffic.

BGP Peers (Total)

OSPF Neighbors (Total)

BFD Sessions (Total)

Active Hosts (for ARP)

Management Sessions (SSH/HTTPS)

Platform CPU Speed

Recommended CoPP Rate Limits (pps = packets per second)

Traffic Class	Recommended Rate (pps)	Burst (pps)	Action on Exceed

ACL Entry Budget Estimator

Estimate the total number of ACL entries (ACEs) required across all interface types, and check against platform TCAM limits. Helps prevent ACL budget exhaustion that leaves interfaces unprotected.

Uplink Interfaces (to Firewall)

ACEs per Uplink Interface

Production Downlink Interfaces

ACEs per Production Interface

Management Interfaces

ACEs per Management Interface

TCAM Expansion Factor (1–4×)

Complex ACEs may use 2–4 TCAM entries each

Platform ACL TCAM Budget

ACL Entry Budget Analysis

ACL TCAM Utilization 0%

Hardening Risk Score Assessor

Assess the current security hardening coverage across the eight hardening domains. Each slider represents the implementation completeness of that domain (0% = not implemented, 100% = fully implemented). The overall risk score indicates residual risk exposure.

Hardening Coverage & Residual Risk Score

Residual Risk Level

Low RiskMedium RiskHigh Risk

BGP Prefix Filter Sizer

Estimate the number of BGP prefix filter entries required and the TCAM impact for different BGP deployment scenarios. Helps plan TCAM allocation for BGP security controls including RPKI and prefix filtering.

eBGP Peers (External)

iBGP Peers (Internal)

Avg Prefixes per eBGP Peer

Avg Prefixes per iBGP Peer

RPKI Enabled?

Max-Prefix Limit (% of expected)

Recommended: 110–130% of expected prefix count

Prefix Filter Entries per Peer

Inbound + outbound prefix-list entries

FIB TCAM Bank Size (entries)

BGP Prefix Filter & TCAM Sizing

FIB TCAM Utilization 0%