Error: ACL install operation failed - filter hardware full for vlan esn-mo-01, port *

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered

Hi there,

I'm trying to implement a new egress vlan ACL to match traffic going to a particular address on a range of UDP ports and put it into QoSprofile QP6.

But I'm getting the above error.

I'm on an X460 running 15.6.3.1 and I appear to have egress ACL slices available: 

show access-list usage acl-slice port 1
Ports 1-34
Stage: INGRESS
[SNIP]
Stage: EGRESS
Slices:          Used: 0  Available: 4
Slice 0 Rules:   Used: 0  Available: 0
Slice 1 Rules:   Used: 0  Available: 0
Slice 2 Rules:   Used: 0  Available: 0
Slice 3 Rules:   Used: 0  Available: 0
Stage: LOOKUP
Slices:          Used: 1  Available: 3
Slice 0 Rules:   Used: 0  Available: 0
Slice 1 Rules:   Used: 0  Available: 0
Slice 2 Rules:   Used: 0  Available: 0
Slice 3 Rules:   Used: 35  Available: 477 system
Stage: EXTERNAL
Slices:          Used: 0  Available: 0

I've found the 'fix' to reset the precedence to 'shared' as it now defaults to 'dedicated', but why should I?  This ACL didn't exist on any previous version of code so why can't I use the default setting to apply this relatively simple ACL?

https://gtacknowledge.extremenetworks.com/articles/Solution/ACL-install-operation-failed-filter-hard...

Many thanks,

Photo of Stephen Elliott

Stephen Elliott

  • 1,244 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
The egress ACL doesn't support a port range of UDP/TCP. 

Unlike ingress ACLs, ‘qosprofile’ action is only used to determine DSCP and DOT1P mappings and has no effect on the traffic queuing or prioritization. 

Photo of Stephen Elliott

Stephen Elliott

  • 1,244 Points 1k badge 2x thumb

Thanks Kevin, but this is taken from the Concepts Guide chapter about ACL QoS Traffic Classes:

"Depending on the platform you are using, traffic in an ACL traffic group can be processed as follows:

• Assigned to an ingress meter for rate limiting

• Marked for an egress QoS profile for rate shaping  <<<<<< 

• Marked for an egress traffic queue for rate shaping   <<<<<<<

• Marked for DSCP replacement on egress

• Marked for 802.1p priority replacement on egress

• Assigned to an egress meter for rate limiting"

Is that incorrect?  Should I be using an Ingress ACL on the incoming Vlan to assign my traffic to an appropriate QP?

Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
You can use 'qosprofile' action statement in an egress ACL for remarking DSCP or Dot1p values. However, the traffic queuing or prioritization doesn't take place.


qosprofile qosprofilename—Forwards the packet to the specified QoS profile.

• ingress—all platforms
• egress—does not forward the packets to the specified qosprofile. If the action modifier “replace- dot1p” is present in the ACL rule, the dot1p field in the packet is replaced with the value from associated qosprofile.