topic RE: ACL installation problem on x670 - XOS 15.5.3.4 in ExtremeSwitching (EXOS/Switch Engine)

ACL installation problem on x670 - XOS 15.5.3.4

Romain_Mercier — Wed, 20 Jan 2016 17:02:00 GMT

Hi,

I'm facing a problem with two X670-48x in version 15.5.3.4 when I try to install an ACL on an egress port.

Here is the content of the policy file :

entry NO-DHCP-SR1-SR2-01 {
if match all {
vlan-id 443 ;
protocol udp ;
destination-port bootps ;
ethernet-destination-address ff:ff:ff:ff:ff:ff ;
} then {
deny ;
count BROADDHCP443;
}
}

When I try to install the ACL I get this error :

SRX.14 # configure access-list INTER-ROUTERS ports 2 egress

Error: ACL install operation failed - filter hardware full for vlan *, port 2

Months ago, I upgraded the swith from 15.2.2.7 to 15.5.3.4, so I thought I match the symptoms described herre : https://extremeportal.force.com/ExtrArticleDetail?an=000077652

I have follow the instructions and changed the access-list configuration, saved the configuration and then reboot the switch but I'm still having the same error message.
Here is an extract of the log when trying to apply the ACL :

01/19/2016 07:57:07.88 Policy:unBind:INTER-ROUTERS:vlan:*:port:*:
01/19/2016 07:57:07.88 Policy:unBind:INTER-ROUTERS:vlan:*:port:2:
01/19/2016 07:57:07.88 EXOS application attempting to install incompatible ACL: filter vlan *, port 2 (rule "NO-DHCP-SR1-SR2-01", index 1)
01/19/2016 07:57:07.87 Loaded Policy: INTER-ROUTERS number of entries 1
01/19/2016 07:57:07.87 Loading policy INTER-ROUTERS from file /config/INTER-ROUTERS.pol
01/19/2016 07:50:55.75 Policy:unBind:INTER-ROUTERS:vlan:*:port:*:
01/19/2016 07:50:55.75 Policy:unBind:INTER-ROUTERS:vlan:*:port:2:
01/19/2016 07:50:55.75 EXOS application attempting to install incompatible ACL: filter vlan *, port 2 (rule "NO-DHCP-SR1-SR2-01", index 1)
01/19/2016 07:50:55.74 Loaded Policy: INTER-ROUTERS number of entries 1
01/19/2016 07:50:55.74 Loading policy INTER-ROUTERS from file /config/INTER-ROUTERS.pol

Have you any idea about what's wrong with this ?

Regards,
Romain M.

RE: ACL installation problem on x670 - XOS 15.5.3.4

Jarek — Wed, 20 Jan 2016 17:49:00 GMT

Hi,

you can not mix field selectors that you have in ACL.

For egress you can do (from user guide) :

Following is the table of the available combinations:
• Combination 1:
ethernet-type>
• Combination 2:
protocol, destination-port, source-port, tcp-flags>
• Combination 3:

, source-address,
protocol>

Can you write what do you want to achieve with that ACL ?

--
Jarek

RE: ACL installation problem on x670 - XOS 15.5.3.4

BrandonC — Thu, 21 Jan 2016 03:53:00 GMT

Hi Romain,

In addition to what Jarek mentioned, can you get the output of 'show access-list usage acl-slice port 2'?

This will let us see if there are hardware resources available for the ACL to be installed on the port.

-Brandon

RE: ACL installation problem on x670 - XOS 15.5.3.4

Romain_Mercier — Thu, 21 Jan 2016 15:44:00 GMT

Hi Jarek and Brandon,

Thank you for your helpful answers !

I forgot the limitation on match condition combnation. I replaced the ethernet-destination-address by destination-address 255.255.255.255/32.
The goal of this rule is to deny broadcasted DHCP request between two X670. The two devices have a bootprelay configuration for the vlan-id 443 and I want only the first device receiving the request to relay it and not the both of them.

Changing the combination makes it possible to install the policy !

In addition, here is the answer for you Brandon :
SRX.5 # show access-list usage acl-slice port 2
Ports 1-48
Stage: INGRESS
Slices: Used: 9 Available: 1
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 12 Available: 116 system
Slice 2 Rules: Used: 1 Available: 127 IPv6 MC
Slice 3 Rules: Used: 2 Available: 126 system
Slice 4 Rules: Used: 2 Available: 254 system
Slice 5 Rules: Used: 2 Available: 254 user/other
Slice 6 Rules: Used: 4 Available: 252 user/other
Slice 7 Rules: Used: 32 Available: 224 user/other
Slice 8 Rules: Used: 2 Available: 254 user/other
Slice 9 Rules: Used: 9 Available: 247 user/other
Stage: EGRESS
Slices: Used: 1 Available: 3
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 0 Available: 0
Slice 2 Rules: Used: 0 Available: 0
Slice 3 Rules: Used: 79 Available: 177 user/other
Stage: LOOKUP
Slices: Used: 0 Available: 4
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 0 Available: 0
Slice 2 Rules: Used: 0 Available: 0
Slice 3 Rules: Used: 0 Available: 0
Stage: EXTERNAL
Slices: Used: 0 Available: 0

It works now.
Thank you.

Best regards,
Romain M.