ACL slices

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
Create Date: Aug 23 2013 12:39PM

hi

i am trying to put acls on our core switch to prevent access between certain vlans. but run out of slices quickly.

i don't understand slices or how it is calculated???

* X670-48x.9 # show access-list usage acl-slice port 1
Ports 1-48
Stage: INGRESS
Slices:          Used: 9  Available: 1
Slice 0 Rules:   Used: 0  Available: 128
Slice 1 Rules:   Used: 3  Available: 125 user/other
Slice 2 Rules:   Used: 20  Available: 108 system
Slice 3 Rules:   Used: 6  Available: 122 system
Slice 4 Rules:   Used: 3  Available: 253 user/other
Slice 5 Rules:   Used: 6  Available: 250 user/other
Slice 6 Rules:   Used: 3  Available: 253 user/other
Slice 7 Rules:   Used: 6  Available: 250 user/other
Slice 8 Rules:   Used: 3  Available: 253 user/other
Slice 9 Rules:   Used: 8  Available: 248 user/other
Stage: EGRESS
Slices:          Used: 0  Available: 4
Slice 0 Rules:   Used: 0  Available: 256
Slice 1 Rules:   Used: 0  Available: 256
Slice 2 Rules:   Used: 0  Available: 256
Slice 3 Rules:   Used: 0  Available: 256
Stage: LOOKUP
Slices:          Used: 1  Available: 3
Slice 0 Rules:   Used: 0  Available: 256
Slice 1 Rules:   Used: 0  Available: 256
Slice 2 Rules:   Used: 0  Available: 256
Slice 3 Rules:   Used: 49  Available: 207
Stage: EXTERNAL
Slices:          Used: 0  Available: 0
* X670-48x.10 #
(from Conrad_Jones)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Aug 23 2013 12:58PM

Hi,

I think you can find answer to your question in concept guide:
Chapter ACL -> ACL Mechanisms - 681

Jarek

(from Jaroslaw_Kasjaniuk)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Aug 23 2013 1:08PM

Vlan Name    Port   Policy Name          Dir      Rules  Dyn Rules
===================================================================
Internet     *      Internet             ingress  9      0
dmz          *      DMZ                  ingress  9      0
dmz          1                           ingress  0      2
dmz          2                           ingress  0      2
dmz          3                           ingress  0      2
dmz          45                          ingress  0      2
dmz          46                          ingress  0      2
dmz          47                          ingress  0      2
dmz          48                          ingress  0      2
Admin_Server *      A_S                  ingress  9      0

* X670-48x.2 # configure access-list C_S vlan Curriculum
  <vlanname>      vlan name
    "Curriculum"  "Curriculum_PC"  "Curriculum_Printer"  "Curriculum_Server"
* X670-48x.2 # configure access-list C_S vlan "Curriculum_Server"

Error: ACL install operation failed - slice hardware full for vlan Curriculum_Se
rver, port *
* X670-48x.3 #



Apologies i have read that, i don't think I'm approaching any where near 2048 ingress rules.

Each group of 48 ports has 10 slices; the first 4 (0-3) slices hold 128 ingress rules each, and the last
6 (4-9) slices hold 256 ingress rules each, which adds up to 2048 ingress rules.


(from Conrad_Jones)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Aug 23 2013 5:50PM

For my knowledge different slices are used for different things,
in youre case X670 has 10 slices and sum of 10 slices rules is 2048.

You have in use:
Stage: INGRESS
Slices: Used: 9 Available: 1

I don't know your config and ACL's,
but "Error: ACL install operation failed - slice hardware full for vlan Curriculum_Server, port *" could mean:

1) That some functions need for it own use slices and cannot share it with others

You can check that when you remove some of ACL's,
then show access-list usage acl-slice port 1 what sliceses are free.
And then add this accesslist C_S, then check slices usage

2) Sometimes the solution is to write acl's in file in a different order or/and
add policy it in diffrent order.

I had some time ago similar problem with X250e I don't remeber in what soft that was.
When the switch reboot it add some acl policy for vlans then add ip-security things like dhp-snooping
and arpvalidation. In logs I saw ACL install operation failed ...
But when I removed all ACL's, and first add ip-security things then the ACL for vlan
it works with no error.

3) Maybe a firmware bug ? What firmware you have ?


--
Jarek

(from Jaroslaw_Kasjaniuk)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Aug 23 2013 6:54PM

i've got loads of VRRP going on on that switch and some dhcp snooping but the way i read the pdf they used the system slice not the user/other ? not sure here though


firmware, i updated today to the latest xos and it didn't make a difference, i will check firmware versions on tuesday as i have left the site now. 

i may backup the config and try reseting the whole switch though i'd rather not :)

(from Conrad_Jones)

This conversation is no longer open for comments or replies.