Header Only - DO NOT REMOVE - Extreme Networks
Question

Policy cannot be enabled when double width access-list


Userlevel 5
Hi There,

Just wondering if anyone has seen this issue, or know what its complaining about and how to correct.

Trying to run the command:
enable policy[/code]This is on an X670G2, Core License running version 21.1.4.4 Patch 1-3

I get the following error:

Warning: Enabling Policy will cause some Netlogin settings (such as VLANs and dynamically created VLANs) to be cleared.
ERROR: Hardware resources could not be reserved for Policy (count 0). Note that Policy cannot be enabled when double width access-list is configured or operational.[/code] No ACLs have been configured, the following command shows the same on the other 3 core switches that have relitivly the same config and policy is enabled fine:
Customer-Core4.304 # show access-list width
Slot Type Width (Configured)
---- ---------------- ---------------------
X670G2-48x-4q Single[/code]Run various other ACL commands and nothing is standing out. Googling the error or elements of the message doesn't seem to be returning anything.

Many thanks in advance

5 replies

Userlevel 5
HI Martin,

Stacking and MLAGing are more complimentary than they are comparable technologies in my opinion.

Stacking tries to provide the degree of simplified management and resilience a chassis would offer without the cost + rigidity/planning that comes with deciding what type of chassis would fit your needs. On the other hand, MLAGing tries to address the limitations that come with a traditional implementation like STP. Both provide redundandy, but for stacking that is secondary to the fact that stacking came about to increase port density while siplifying management.

The same way you can add more links to an MLAG, you can do the same with Stacking. The same way an ASIC on an MLAG peer would forward a known traffic stream in hardware, a stack member can.

If I may, I don't think stack members should be geographically spaced, even if you have the bandwidth for it. And yes, entire stacks do fail. But if you do find yourself wanting to do that, it would be the best time to think about deploying a 2 tier MLAG. Peering is local, so no check-pointing traffic traverses the links connecting the two locations, and if an entire path fails, you still have your back-up.

For even added resilience, your 2 MLAG peers can be Summit Stacks, which gives the best of both worlds. Ultimately, it all comes down to what you're trying to do and how much room you have to go crazy with ideas
hi all ... I have the same error, on the same hardware,
with a different firmware version
summitX-22.4.1.4.xos
is there any update?

please let me know

thanks a lot

best regards

Stefano
Userlevel 5
Stefano Dall'Osto wrote:

hi all ... I have the same error, on the same hardware,
with a different firmware version
summitX-22.4.1.4.xos
is there any update?

please let me know

thanks a lot

best regards

Stefano

Hi Stefano,

Both MLAG and Policy reserve ACL Slice resources when configured/enabled. For policy, you can reduce the resource reservation by configuring the profile-modifier. This functionality was added in 22.4

https://documentation.extremenetworks.com/exos_commands_22.4/exos_21_1/exos_commands_all/r_configure...

So, something like:
configure policy resource-profile default profile-modifier [no-mac|no-ipv4|no-ipv6] enable[/code]After configuring this you should see more available slices in the acl-slice usage output
Userlevel 5
Hi Stefano,

Believe the issue in my case was that with MLAG enabled it used too many ACL slices for me to be able to enable policy.

The fix was to disable MLAG, then enable policy, then enable MLAG again!

Thanks,

Martin
Hi all,
and thanks for the replies ...

but I think I'm loosing something ...
I don't have any MLAG enabled on the x670-g2 stack ...

so, where is the issue?

thanks in advance

best regards

Stefano

Reply