ExtremeSwitching (EXOS)

 View Only
  • 1.  ACL slices

    Posted 01-07-2014 22:04
    Create Date: Aug 23 2013 12:39PM

    hi

    i am trying to put acls on our core switch to prevent access between certain vlans. but run out of slices quickly.

    i don't understand slices or how it is calculated???

    * X670-48x.9 # show access-list usage acl-slice port 1
    Ports 1-48
    Stage: INGRESS
    Slices: Used: 9 Available: 1
    Slice 0 Rules: Used: 0 Available: 128
    Slice 1 Rules: Used: 3 Available: 125 user/other
    Slice 2 Rules: Used: 20 Available: 108 system
    Slice 3 Rules: Used: 6 Available: 122 system
    Slice 4 Rules: Used: 3 Available: 253 user/other
    Slice 5 Rules: Used: 6 Available: 250 user/other
    Slice 6 Rules: Used: 3 Available: 253 user/other
    Slice 7 Rules: Used: 6 Available: 250 user/other
    Slice 8 Rules: Used: 3 Available: 253 user/other
    Slice 9 Rules: Used: 8 Available: 248 user/other
    Stage: EGRESS
    Slices: Used: 0 Available: 4
    Slice 0 Rules: Used: 0 Available: 256
    Slice 1 Rules: Used: 0 Available: 256
    Slice 2 Rules: Used: 0 Available: 256
    Slice 3 Rules: Used: 0 Available: 256
    Stage: LOOKUP
    Slices: Used: 1 Available: 3
    Slice 0 Rules: Used: 0 Available: 256
    Slice 1 Rules: Used: 0 Available: 256
    Slice 2 Rules: Used: 0 Available: 256
    Slice 3 Rules: Used: 49 Available: 207
    Stage: EXTERNAL
    Slices: Used: 0 Available: 0
    * X670-48x.10 #
    (from Conrad_Jones)


  • 2.  RE: ACL slices

    Posted 01-07-2014 22:04
    Create Date: Aug 23 2013 12:58PM

    Hi,

    I think you can find answer to your question in concept guide:
    Chapter ACL -> ACL Mechanisms - 681

    Jarek (from Jaroslaw_Kasjaniuk)


  • 3.  RE: ACL slices

    Posted 01-07-2014 22:04
    Create Date: Aug 23 2013 1:08PM

    Vlan Name Port Policy Name Dir Rules Dyn Rules
    ===================================================================
    Internet * Internet ingress 9 0
    dmz * DMZ ingress 9 0
    dmz 1 ingress 0 2
    dmz 2 ingress 0 2
    dmz 3 ingress 0 2
    dmz 45 ingress 0 2
    dmz 46 ingress 0 2
    dmz 47 ingress 0 2
    dmz 48 ingress 0 2
    Admin_Server * A_S ingress 9 0

    * X670-48x.2 # configure access-list C_S vlan Curriculum


  • 4.  RE: ACL slices

    Posted 01-07-2014 22:04
    Create Date: Aug 23 2013 5:50PM

    For my knowledge different slices are used for different things,
    in youre case X670 has 10 slices and sum of 10 slices rules is 2048.

    You have in use:
    Stage: INGRESS
    Slices: Used: 9 Available: 1

    I don't know your config and ACL's,
    but "Error: ACL install operation failed - slice hardware full for vlan Curriculum_Server, port *" could mean:

    1) That some functions need for it own use slices and cannot share it with others

    You can check that when you remove some of ACL's,
    then show access-list usage acl-slice port 1 what sliceses are free.
    And then add this accesslist C_S, then check slices usage

    2) Sometimes the solution is to write acl's in file in a different order or/and
    add policy it in diffrent order.

    I had some time ago similar problem with X250e I don't remeber in what soft that was.
    When the switch reboot it add some acl policy for vlans then add ip-security things like dhp-snooping
    and arpvalidation. In logs I saw ACL install operation failed ...
    But when I removed all ACL's, and first add ip-security things then the ACL for vlan
    it works with no error.

    3) Maybe a firmware bug ? What firmware you have ?

    --
    Jarek

    (from Jaroslaw_Kasjaniuk)


  • 5.  RE: ACL slices

    Posted 01-07-2014 22:04
    Create Date: Aug 23 2013 6:54PM

    i've got loads of VRRP going on on that switch and some dhcp snooping but the way i read the pdf they used the system slice not the user/other ? not sure here though

    firmware, i updated today to the latest xos and it didn't make a difference, i will check firmware versions on tuesday as i have left the site now.

    i may backup the config and try reseting the whole switch though i'd rather not 🙂 (from Conrad_Jones)