ACL slices


Userlevel 4
Create Date: Aug 23 2013 12:39PM

hi

i am trying to put acls on our core switch to prevent access between certain vlans. but run out of slices quickly.

i don't understand slices or how it is calculated???

* X670-48x.9 # show access-list usage acl-slice port 1
Ports 1-48
Stage: INGRESS
Slices: Used: 9 Available: 1
Slice 0 Rules: Used: 0 Available: 128
Slice 1 Rules: Used: 3 Available: 125 user/other
Slice 2 Rules: Used: 20 Available: 108 system
Slice 3 Rules: Used: 6 Available: 122 system
Slice 4 Rules: Used: 3 Available: 253 user/other
Slice 5 Rules: Used: 6 Available: 250 user/other
Slice 6 Rules: Used: 3 Available: 253 user/other
Slice 7 Rules: Used: 6 Available: 250 user/other
Slice 8 Rules: Used: 3 Available: 253 user/other
Slice 9 Rules: Used: 8 Available: 248 user/other
Stage: EGRESS
Slices: Used: 0 Available: 4
Slice 0 Rules: Used: 0 Available: 256
Slice 1 Rules: Used: 0 Available: 256
Slice 2 Rules: Used: 0 Available: 256
Slice 3 Rules: Used: 0 Available: 256
Stage: LOOKUP
Slices: Used: 1 Available: 3
Slice 0 Rules: Used: 0 Available: 256
Slice 1 Rules: Used: 0 Available: 256
Slice 2 Rules: Used: 0 Available: 256
Slice 3 Rules: Used: 49 Available: 207
Stage: EXTERNAL
Slices: Used: 0 Available: 0
* X670-48x.10 #
(from Conrad_Jones)

4 replies

Userlevel 4
Create Date: Aug 23 2013 12:58PM

Hi,

I think you can find answer to your question in concept guide:
Chapter ACL -> ACL Mechanisms - 681

Jarek (from Jaroslaw_Kasjaniuk)
Userlevel 4
Create Date: Aug 23 2013 1:08PM

Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
Internet * Internet ingress 9 0
dmz * DMZ ingress 9 0
dmz 1 ingress 0 2
dmz 2 ingress 0 2
dmz 3 ingress 0 2
dmz 45 ingress 0 2
dmz 46 ingress 0 2
dmz 47 ingress 0 2
dmz 48 ingress 0 2
Admin_Server * A_S ingress 9 0

* X670-48x.2 # configure access-list C_S vlan Curriculum
vlan name
"Curriculum" "Curriculum_PC" "Curriculum_Printer" "Curriculum_Server"
* X670-48x.2 # configure access-list C_S vlan "Curriculum_Server"

Error: ACL install operation failed - slice hardware full for vlan Curriculum_Se
rver, port *
* X670-48x.3 #



Apologies i have read that, i don't think I'm approaching any where near 2048 ingress rules.

Each group of 48 ports has 10 slices; the first 4 (0-3) slices hold 128 ingress rules each, and the last
6 (4-9) slices hold 256 ingress rules each, which adds up to 2048 ingress rules.

(from Conrad_Jones)
Userlevel 4
Create Date: Aug 23 2013 5:50PM

For my knowledge different slices are used for different things,
in youre case X670 has 10 slices and sum of 10 slices rules is 2048.

You have in use:
Stage: INGRESS
Slices: Used: 9 Available: 1

I don't know your config and ACL's,
but "Error: ACL install operation failed - slice hardware full for vlan Curriculum_Server, port *" could mean:

1) That some functions need for it own use slices and cannot share it with others

You can check that when you remove some of ACL's,
then show access-list usage acl-slice port 1 what sliceses are free.
And then add this accesslist C_S, then check slices usage

2) Sometimes the solution is to write acl's in file in a different order or/and
add policy it in diffrent order.

I had some time ago similar problem with X250e I don't remeber in what soft that was.
When the switch reboot it add some acl policy for vlans then add ip-security things like dhp-snooping
and arpvalidation. In logs I saw ACL install operation failed ...
But when I removed all ACL's, and first add ip-security things then the ACL for vlan
it works with no error.

3) Maybe a firmware bug ? What firmware you have ?

--
Jarek

(from Jaroslaw_Kasjaniuk)
Userlevel 4
Create Date: Aug 23 2013 6:54PM

i've got loads of VRRP going on on that switch and some dhcp snooping but the way i read the pdf they used the system slice not the user/other ? not sure here though

firmware, i updated today to the latest xos and it didn't make a difference, i will check firmware versions on tuesday as i have left the site now.

i may backup the config and try reseting the whole switch though i'd rather not 🙂 (from Conrad_Jones)

Reply