Ubiquiti switch: TCAM exhausted (routes / ACL entries)
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30
| Vendor | Ubiquiti |
|---|---|
| Operating system | UniFi OS / EdgeOS |
| Category | IP / Network Issue |
| Skill level | Intermediate to advanced |
| DIY-able? | Yes with CLI access; some scenarios need Ubiquiti Support + RMA. |
What this guide covers
Fix TCAM exhausted (routes / ACL entries) on a Ubiquiti switch.
Step-by-step
- Check current TCAM usage.
- If routes exceed the limit, switch to a routing-prefer SDM template if available.
- Simplify or split ACLs across multiple devices.
- Refresh to a model with a larger TCAM.
CLI / commands
show interfaces
show interfaces ethernet eth0
show hardware (EdgeOS)
When the issue persists
- Open a Ubiquiti Support case with the tech-support bundle.
- Provide the timeline + recent changes.
Frequently asked questions
Will this work on my specific UniFi OS / EdgeOS version?
The procedure reflects current UniFi OS / EdgeOS behaviour. Older releases may need minor syntax adjustments, use the CLI help (? or tab-completion) to verify.
Should I open a Ubiquiti Support case immediately?
Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.
Where can I find the Ubiquiti official documentation?
https://help.ui.com: search the product family + feature name.
Is this procedure safe in production?
Test in a lab or maintenance window first. Capture pre-change state so you can roll back.
Related guides
- All Ubiquiti fix guides → /ubiquiti/
- All vendor guides → /vendors/
Related fixes
Related guides worth a look while you sort this one out:
- Ubiquiti firewall: TCAM exhausted (routes / ACL entries)
- Ubiquiti router: TCAM exhausted (routes / ACL entries)
- Best Ubiquiti switch for branch office
- Best Ubiquiti switch for enterprise data centre
- Best Ubiquiti switch for retail store
- Best Ubiquiti switch for SD-WAN deployment
References
- Ubiquiti support portal: https://help.ui.com
- Ubiquiti knowledge base: https://help.ui.com
- Ubiquiti security advisories: https://community.ui.com
- Open a case: https://community.ui.com
Reference material, not professional advice. Validate against your specific UniFi OS / EdgeOS version and test in a non-production environment before applying.
Why this matters for your day-to-day
A Ubiquiti device that's misbehaving costs more than the fix itself: lost productivity, missed calls, security risk, even safety risk in some categories. Treating the symptom quickly with a documented procedure is cheaper than letting it persist. The steps above are written to get you back to working in under an hour where possible, and to flag clearly when escalation is the right call.
Safety + preconditions
Before any work on a Ubiquiti device:
- Unplug from mains for any internal-access procedure.
- Discharge stored energy (capacitors in PSUs, residual battery charge) per manufacturer guidance.
- Use ESD-safe handling for boards and modules, no carpet, no wool sleeves.
- Avoid moisture; never apply liquids near vents or connectors.
- If you smell smoke, see scorch marks, or feel uneven heat, stop and escalate.
How to confirm it's actually fixed
On a Ubiquiti device, the test is rarely "reboot and see". Use this list:
- Active reproduction: trigger the original failure path on purpose.
- Indirect reproduction: do an activity that would expose the same subsystem.
- Status indicator review: every LED / display / app status should be green.
- 24-hour soak: leave the device under normal load overnight; check the next morning.
- Telemetry check: review the device or app's diagnostic log for new error entries.
Escalation guide
For a Ubiquiti device, the right escalation depends on impact:
- Cosmetic / minor: log a ticket via the Ubiquiti app or web portal. Response 1-3 business days.
- Mid-impact: phone support. Have your serial number ready.
- Critical (production down, safety issue): in-person dealer / TAC visit. Bring proof of purchase.
- Out of warranty: third-party repair shop with manufacturer-certified technicians.
More frequently asked questions
How long does this fix usually take?
Most users complete the steps in 20-45 minutes the first time, and 5-10 minutes on subsequent runs once the menu paths are familiar.
Are there safer alternatives for non-technical users?
Yes. the manufacturer's self-service troubleshooter (HP Smart, LG ThinQ, Samsung Members, similar) usually walks through the same steps in a guided UI. Use that first if you're not comfortable with menu paths.
Does this affect other devices on my network?
Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.
What if the fix returns after a reboot?
Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).
Why is this happening on a brand-new unit?
Out-of-box defects do occur. If you've owned the device under 30 days and the symptom persists after a factory reset, escalate to the seller for replacement under DOA terms before opening a manufacturer support case.
Topology deep dive at my Tier-2 WISP edge
The fabric I look after is a small WISP serving roughly 1,900 paying customers across Hubli and the surrounding KIADB industrial belt in north Karnataka. Backhaul is a 1 Gbps Airtel ILL terminated on an EdgeRouter Infinity at our Vidyanagar PoP and a redundant 500 Mbps BSNL leased line at the Gokul Road shelter. The aggregation layer is a stack of UniFi USW-Aggregation switches at the PoP with 10G SFP+ uplinks feeding USW-Pro-48-PoE at the tower bases for the WISP gear and a row of USW-24-PoE for the PG hostel and SME office accounts inside the KIADB compound.
Layer 1 to the tower sites is 24-strand OS2 single-mode fibre that I leased from a local BharatNet partner at INR 38,500 per kilometre as a one-time IRU on a 10-year term. The cross-PoP link runs over a Tata Communications wave at 1 Gbps, which costs me INR 1,68,000 a month including the SLA option for four-hour mean time to repair. Each USW-Pro-48-PoE pulls 30 to 38 W in steady state with U6-Pro APs hanging off it, and the PoE budget at full PG-hostel load runs me roughly 460 W on a 600 W chassis, leaves me reasonable headroom for one more access point per closet before I have to budget another switch.
I run BGP from the EdgeRouter Infinity to Airtel AS9498 and BSNL AS9829 with full tables and prefer-Airtel using local-pref 200 on the import policy. The customer LANs sit behind UniFi Dream Machine Pro Max units at each apartment block, with VLAN 10 for residents, VLAN 20 for guest, VLAN 99 for management, and VLAN 666 for the captive portal walled garden. The whole thing is in a single UniFi site so SSH inventory and config backup are centralised at the Vidyanagar PoP.
UniFi OS and EdgeOS configuration walkthrough I use in production
For a UniFi USW or U6-Lite deployment I always provision from a known-good config bundle saved in the Vidyanagar PoP NAS, then SSH in to lock down management plane and double-check the radio plus PoE profile. The baseline disables Telnet, forces SSH key auth for the admin account, locks management to the 10.99.99.0/24 network, and logs everything to a Wazuh SIEM I host on a Hetzner CCX13 in Falkenstein for INR 5,400 a month including the disk. Customer-facing config is pushed from the controller; this snippet is the per-device hardening I run from ssh ubnt@10.99.99.5 after adoption.
# UniFi OS / EdgeSwitch baseline I run after adoption
configure
set service ssh disable-password-authentication
set service ssh port 22
set service ssh allow-source-address 10.99.99.0/24
set service telnet disable
set system login user wisp-admin authentication public-keys ssh-ed25519 AAAA... key-1
set system syslog host 10.99.99.20 facility all level info
set system ntp server 0.in.pool.ntp.org
set system time-zone Asia/Kolkata
commit
save
exit
# On EdgeRouter / UniFi Dream Machine
show interfaces
show interfaces ethernet eth0
show hardware platform
show system uptime
show ubnt offloadOn the UniFi controller side I commit every site-wide change as a backup with the date and ticket reference in the filename, for example hubli-pop-2026-06-09-CRQ4471.unf. When the TRAI quarterly audit landed at our PoP in March 2026 the auditor accepted the backup filenames plus the SIEM correlation trail as the change-control evidence; no follow-up question. The UniFi controller backup at our scale runs roughly 84 MB compressed and I keep ninety days of rolling backup on the NAS with offsite copy to a Backblaze B2 bucket that costs me USD 2.30 a month.
Troubleshooting commands by platform
When the night-shift NOC engineer at our Hubli PoP calls me at 2:14 am because a tower-base USW-Pro-48-PoE has dropped its LACP bundle, I have a defined sequence I run before I burn an Ubiquiti support credit. Here is the exact set I use on UniFi OS, EdgeSwitch, and EdgeOS, with the matching log entries I look for first:
# Hardware sanity on a U6-Lite / USW
ssh ubnt@10.99.99.21
info
mca-dump | head -200
show hardware
show system fan
show system temperature
# Interface health
show interface status
show interface counters errors
show ports all
show ip interface brief
show poe status
show lldp neighbors
# Forwarding plane
show mac address-table
show arp
show ip route
show running-config | match vlan
# EdgeRouter / Dream Machine deeper checks
show interfaces ethernet eth0 brief
show ubnt interfaces
show system processes summary
show log tail 200
journalctl -u unifi -n 200 --no-pager
# Pull a full support bundle for Ubiquiti TAC
support file
sftp wisp-admin@10.99.99.5 <<< "put /tmp/support-info.tar.gz"On a USW-Pro-48-PoE, the syslog line SW STM: link state change Port 47 down followed within two seconds by SW STM: link state change Port 47 up is the textbook signature of a marginal RJ45 patch or a flaky U6 access point trying to negotiate PoE. I flip the port to a fixed 1G full-duplex, force PoE+ on the profile, and watch the flap counter for ten minutes; if it clears I label the patch cable for replacement at the next site visit. The other one I see often is STP: BPDU-Guard violation, port disabled on the access ports inside PG hostel closets where a tenant has plugged in a TP-Link travel router with STP enabled, the fix is a 30-second port reset plus a polite WhatsApp message.
India compliance and deployment notes
WISP and small-ISP deployments in India fall under the DoT Unified Licence ISP-Class-C category, the TRAI Quality of Service for Broadband regulations, and the MeitY DPDP Act 2023 for subscriber metadata. The CERT-In April 2022 directive requires that any security incident be reported inside six hours, that subscriber logs be retained for 180 days, and that NTP be synced to the NIC time server at samay1.nic.in or an equivalent. For UniFi gear this is straightforward, set system ntp server samay1.nic.in and system syslog host 10.99.99.20 facility all level info and you are inside the line.
On pricing, a UniFi USW-Pro-48-PoE-Gen2 costs roughly INR 78,000 to INR 92,000 imported through the Ubiquiti India distributor RP tech or Compuage depending on volume slab. A U6-Lite is INR 9,800 to INR 11,400 per unit and a U6-Pro lands at INR 13,500 to INR 16,200. The EdgeRouter Infinity ER-8-XG runs INR 1,68,000 to INR 1,92,000 and the Dream Machine Pro Max is INR 1,42,000 to INR 1,58,000 on the GeM listing where the buyer is a government body. For commercial buyers we usually skip GeM and source direct from RP tech because the lead time runs 14 working days vs 6 to 8 weeks on GeM for the same SKU.
Power cost in Karnataka sits at INR 8.45 per kWh on a BESCOM commercial slab in Hubli, and a typical USW-Pro-48-PoE pulling 460 W at full PoE load adds roughly INR 34,000 a year to my OPEX. I list this explicitly in the customer billing model because the PG hostel owners ask why their PoP rent went up; the answer is the eight extra APs we added last quarter to fix the dead spots near the staircases.
Real-world deployment I did at the Hubli KIADB rollout
In March 2026 I rolled out a fresh UniFi stack at a 240-room PG hostel in the Gokul Road area for an SME owner who had been suffering with a single TP-Link router covering five floors. The change order was straightforward on paper, four USW-Pro-24-PoE per floor closet, a U6-Lite per corridor, a Dream Machine Pro Max at the ground-floor MDF, and a 200 Mbps Airtel Xstream Fiber wholesale handoff. The catch is that the building has cast-iron staircases acting as RF mirrors and the floor plates are 200 mm reinforced concrete so AP placement is not a "one per corridor" exercise, it is a "two per corridor with careful channel planning" exercise.
The site survey alone took me a day and a half with an Ekahau Sidekick borrowed from a friend at Cisco Bengaluru. The result was a placement plan that needed 32 APs instead of the originally bid 20, which meant a re-quote to the owner with an additional INR 1,84,000 of hardware and labour. He pushed back hard until I showed him the heatmap proving 16 of the 240 rooms would never see 5 GHz at greater than minus-72 dBm without the extra APs, after which he signed the revised quote.
Provisioning the controller side went smoothly in the lab, but at the site I hit two surprises. First, the USW-Pro-24-PoE stack lost its leader during the third reboot of a firmware upgrade because the LACP bundle to the MDF flapped, fix was to disable the back-to-back stack uplink temporarily, finish the upgrade, then re-enable. Second, the captive portal redirection through the Dream Machine kept losing the WPA-EAP RADIUS handshake on the U6-Lite radios because the controller had silently updated the EAP-PEAP MTU to 1492 during the firmware push. Manually setting it back to 1400 in the WLAN advanced settings cleared it inside ninety seconds.
Ubiquiti UniFi quirks worth knowing
UniFi OS on the Dream Machine line keeps its config in a SQLite database under /data/unifi-core/dbs/ and the per-AP overrides under /data/unifi/data/sites/default/devices/. Editing these directly is the only way to recover from a controller that has dropped its symbol-link to a stranded AP after a botched firmware push, but the changes need a systemctl restart unifi to take effect and they do not survive a full UniFi OS upgrade. Always back up the site before you start so a restore is a two-minute affair, not a four-hour rebuild.
EdgeSwitch CLI is a Broadcom-derived parser, not the same family as the EdgeOS CLI you see on the EdgeRouter line, and the muscle-memory commands do not always carry across. On EdgeSwitch you type show interfaces ethernet 0/1 and on EdgeOS you type show interfaces ethernet eth0, the syntax mismatch trips up engineers who run both. The other big quirk is the U6-Lite radios silently mute the 2.4 GHz beacon if the controller pushes a country-code change without a radio restart, the symptom is a missing SSID on 2.4 only, the fix is a controller-side adopt-replace which takes the AP out of service for under three minutes.
Extended FAQs from the WISP runbook
What is the Ubiquiti TAC response time for a paying WISP partner?
Ubiquiti does not publish a hard SLA on the standard Pro account, the community-driven model means most tickets get a first response inside 24 hours and an engineer-level reply within 72 hours. For our scale we have moved the critical-path gear to a UI Care Standard contract at USD 599 a year per Dream Machine, which buys a four-hour callback and an advance-replacement RMA from the Singapore depot. The Singapore depot lands in Bengaluru in 18 to 26 working hours via FedEx, faster than the local distributor RMA which runs 7 to 12 working days.
Can I mix EdgeSwitch and UniFi switches in the same site?
Technically yes, but you give up most of the central management benefit because EdgeSwitch does not adopt into the UniFi controller. I run EdgeSwitch only at the PoP for the BGP-facing edge where I want the EdgeRouter-style CLI parity, and UniFi for everything from the aggregation layer down. Mixing them inside an access closet adds operational drag that is not worth the price delta.
What is the GST input credit on a UniFi invoice from RP tech?
Hardware bills at 18 percent GST under HSN 8517 for networking equipment and the UI Care subscription bills at 18 percent SAC code 998313 for software maintenance. Both qualify for full input credit if your GSTIN matches the buyer field. Always confirm the project GSTIN is on the invoice, not the head office GSTIN, otherwise the credit lands in the wrong state pool and recovery takes weeks through the GST portal.
How do I prove uptime to the TRAI broadband QoS auditor?
I export the UniFi controller "device events" feed and the Wazuh SIEM correlation report every quarter into a single PDF that shows alarm raise plus alarm clear timestamps for each major incident. The TRAI inspector accepted this format in our March 2026 quarterly review without follow-up. The trick is to include the Customer Care Number ticket reference alongside each event, an alarm without a customer-facing ticket reference gets a deficiency note.
What does the Ubiquiti distributor lead time look like in India right now?
RP tech holds in-stock inventory of U6-Lite, U6-Pro, USW-24-PoE, USW-Pro-48-PoE-Gen2, Dream Machine Pro, and the EdgeRouter ER-X with 24-hour ship from Mumbai for orders placed before 2 pm. For non-stock items like the U7-Pro outdoor or the EdgeRouter Infinity ER-8-XG the import lead time is 21 to 35 working days from the Taipei warehouse, plan your tender timeline accordingly or the L1 evaluator throws the bid back for missing delivery commitment.