Header Only - DO NOT REMOVE - Extreme Networks
Question

ACLs on X440-48t


Userlevel 4
Create Date: Aug 22 2012 10:13AM

Hey all,
I'm new to Extreme switches, so please bear with me here. I'm trying to apply an ACL on our new X440 switch. Basically what I'm trying to do is this: We have multiple "tenants" each of which has their own VLAN. I'm trying to prevent "Tenant_A" on VLAN 101 from accessing "Tenant_B", "Tenant_C", "Tenant_D", etc on VLANs 102, 103, 104, etc.

To start I created a policy file that looks like this called "Test1":

code:
entry ex_A {
code:
   
code:
if {
code:
      
code:
source-address 172.17.102.0/24 ;
code:
      
code:
destination-address 172.17.101.0/24 ;
code:
   
code:
} then {
code:
      
code:
deny ;
code:
   
code:
}
code:
}


Whenever I run the command to apply it:

code:
con access Test1 vlan Tenant_A

or

code:
con access Test1 vlan Client-IARS ingress

I always wind up with this error as a result:

code:
Error: ACL install operation failed - slice hardware full for vlan Tenant_A, port *


I've set "Tenant_A" vlan to be tagged on ports 1-4, if I run:

code:
show access-list usage acl-slice port 1

this is what I see:

code:
Ports 1-24
code:
Stage: INGRESS
code:
Slices:          Used: 4  Available: 0
code:
Slice 0 Rules:   Used: 12  Available: 244 system
code:
Slice 1 Rules:   Used: 2  Available: 254 system
code:
Slice 2 Rules:   Used: 2  Available: 254 system
code:
Slice 3 Rules:   Used: 2  Available: 254 system
code:
Stage: EGRESS
code:
Slices:          Used: 0  Available: 0
code:
Stage: LOOKUP
code:
Slices:          Used: 0  Available: 0
code:
Stage: EXTERNAL
code:
Slices:          Used: 0  Available: 0

Can anyone help?
--
jason shiflet (from Jason_Shiflet)

3 replies

Userlevel 4
Create Date: Aug 23 2012 2:39AM

Hi jshiflet,

as you can see "Slices: Used: 4 Available: 0 <-", you don't have avaiable slices.
You can try optimize the other ACL's.

Can you show what other ACL's have you applied ?

--
Jarek
(from Jaroslaw_Kasjaniuk)
Userlevel 4
Create Date: Aug 23 2012 9:06AM

Hi Jarek,
That's the thing...I've basically wiped the switch clean of configs. It's brand new and I'm trying to create an ACL for the first time.

--
jason (from Jason_Shiflet)
Userlevel 4
Create Date: Aug 23 2012 2:01PM

What EXOS do you use ?
Do you have any ip-security options enabled (' sh access-list dynamic') ?
Can you check 'show access-list usage acl-slice port 1' when the switch has default config ('unconfigure switch all') ?

--
Jarek (from Jaroslaw_Kasjaniuk)

Reply