Error: ACL install operation failed - filter hardware full for vlan *, port 1:5

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
Hi,

Do you know any reason why I am getting this error whenever I try to apply the ACL on egress?

I've tried creating an ACL via a policy and dynamic, with and without logging but I get the same error each time, yet on ingress I can apply an ACL fine - am hitting some limitation on applying ACL on egress, or have my configuration wrong in some manner?

I have the following line in my config:

configure access-list vlan-acl-precedence shared


Which is meant to fix this issue?

https://gtacknowledge.extremenetworks.com/articles/Solution/ACL-install-operation-failed-filter-hardware-full-for-vlan



Creation and application of dynamic ACL:

create access-list Debug-Port-Egress " source-address 0.0.0.0/0 ;" " permit  ; log  ; mirror-cpu  ; count Debug-Port-Egress ;" application "Cli"

configure access-list add "Debug-Port-Egress" first ports 1:5 egress
Error: ACL install operation failed - filter hardware full for vlan *, port 1:5



Creation and application of ACL through policy:


With logging:


entry Debug-Port-egress {
        if match all {
                source-address 0.0.0.0/0;
                } then {
                        permit  ;
                        log  ;
                        mirror-cpu  ;
                        count Debug-Port-Ingress ;
                }
}




And without logging


entry Debug-Port-egress {
        if match all {
                source-address 0.0.0.0/0;
                } then {
                        permit  ;
                }
}





configure access-list Debug-Port-Egress ports 1:5 egress

Error: ACL install operation failed - filter hardware full for vlan *, port 1:5



And show commands that you might find useful:




Stack 1.41 # show access-list configuration
       Access-list Refresh Blackhole: Enabled
       Access-list Permit To-CPU: Enabled

       Access-list configured vlan-acl-precedence mode: Shared
       Access-list operational vlan-acl-precedence mode: Shared
       Access-list Rule-compression Port-counters: Dedicated



Stack 1.40 # show access-list usage acl-slice port 1:5
Ports 1:1-1:24
Stage: INGRESS
Slices:          Used: 2  Available: 2
Slice 0 Rules:   Used: 0  Available: 0
Slice 1 Rules:   Used: 0  Available: 0
Slice 2 Rules:   Used: 17  Available: 239 system
Slice 3 Rules:   Used: 70  Available: 186 user/other
Stage: EGRESS
Slices:          Used: 0  Available: 0
Stage: LOOKUP
Slices:          Used: 0  Available: 0
Stage: EXTERNAL
Slices:          Used: 0  Available: 0







Stack 1.39 # show access-list dynamic
Dynamic Rules: ((*)- Rule is non-permanent )

   Debug-Port-Egress               Bound to 0 interfaces for application Cli
   Debug-Port-Ingress              Bound to 1 interfaces for application Cli
(*)hclag_arp_2_4_96_82_46_c1       Bound to 0 interfaces for application HealthCheckLAG
(*)idmgmt_def_blacklist            Bound to 0 interfaces for application IdentityManager
(*)idmgmt_def_whitelist            Bound to 0 interfaces for application IdentityManager

Switch is a stack of 4 x X440, running version 15.5.4.2 patch 1-5



Many thanks in advance
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
Hello Martin,

as you can see in show access-list usage acl-slice the X440 does not have egress slices available (0).
From the manual the X440 is not listed as being capable to do egress ACL:
egress
Apply the ACL to packets leaving the switch from this interface.(BlackDiamond X8 series switches, BlackDiamond 8000 c-, xl-, xm-series
modules, E4G-200 and E4G-400 switches, and Summit X460, X460-G2, X480, X670, X670-G2, and X770 switches only).
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb

Oh, ok, thanks Oscar, that explains that nicely then :-)