Header Only - DO NOT REMOVE - Extreme Networks

Error: ACL install operation failed - filter hardware full for vlan *, port 1:5


Userlevel 5
Hi,

Do you know any reason why I am getting this error whenever I try to apply the ACL on egress?

I've tried creating an ACL via a policy and dynamic, with and without logging but I get the same error each time, yet on ingress I can apply an ACL fine - am hitting some limitation on applying ACL on egress, or have my configuration wrong in some manner?

I have the following line in my config:

configure access-list vlan-acl-precedence shared[/code]

Which is meant to fix this issue?

https://gtacknowledge.extremenetworks.com/articles/Solution/ACL-install-operation-failed-filter-hardware-full-for-vlan

Creation and application of dynamic ACL:

create access-list Debug-Port-Egress " source-address 0.0.0.0/0 ;" " permit ; log ; mirror-cpu ; count Debug-Port-Egress ;" application "Cli"

configure access-list add "Debug-Port-Egress" first ports 1:5 egress
Error: ACL install operation failed - filter hardware full for vlan *, port 1:5

Creation and application of ACL through policy:

With logging:

entry Debug-Port-egress {
if match all {
source-address 0.0.0.0/0;
} then {
permit ;
log ;
mirror-cpu ;
count Debug-Port-Ingress ;
}
}[/code]

And without logging

entry Debug-Port-egress {
if match all {
source-address 0.0.0.0/0;
} then {
permit ;
}
}

[/code]

configure access-list Debug-Port-Egress ports 1:5 egress

Error: ACL install operation failed - filter hardware full for vlan *, port 1:5

And show commands that you might find useful:

Stack 1.41 # show access-list configuration
Access-list Refresh Blackhole: Enabled
Access-list Permit To-CPU: Enabled

Access-list configured vlan-acl-precedence mode: Shared
Access-list operational vlan-acl-precedence mode: Shared
Access-list Rule-compression Port-counters: Dedicated

Stack 1.40 # show access-list usage acl-slice port 1:5
Ports 1:1-1:24
Stage: INGRESS
Slices: Used: 2 Available: 2
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 0 Available: 0
Slice 2 Rules: Used: 17 Available: 239 system
Slice 3 Rules: Used: 70 Available: 186 user/other
Stage: EGRESS
Slices: Used: 0 Available: 0
Stage: LOOKUP
Slices: Used: 0 Available: 0
Stage: EXTERNAL
Slices: Used: 0 Available: 0

Stack 1.39 # show access-list dynamic
Dynamic Rules: ((*)- Rule is non-permanent )

Debug-Port-Egress Bound to 0 interfaces for application Cli
Debug-Port-Ingress Bound to 1 interfaces for application Cli
(*)hclag_arp_2_4_96_82_46_c1 Bound to 0 interfaces for application HealthCheckLAG
(*)idmgmt_def_blacklist Bound to 0 interfaces for application IdentityManager
(*)idmgmt_def_whitelist Bound to 0 interfaces for application IdentityManager

Switch is a stack of 4 x X440, running version 15.5.4.2 patch 1-5

Many thanks in advance

2 replies

Userlevel 6
Hello Martin,

as you can see in show access-list usage acl-slice the X440 does not have egress slices available (0).
From the manual the X440 is not listed as being capable to do egress ACL:
egress
Apply the ACL to packets leaving the switch from this interface.(BlackDiamond X8 series switches, BlackDiamond 8000 c-, xl-, xm-series
modules, E4G-200 and E4G-400 switches, and Summit X460, X460-G2, X480, X670, X670-G2, and X770 switches only).
Userlevel 5
Oh, ok, thanks Oscar, that explains that nicely then 🙂

Reply