https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28212#M4294 Create Date: Aug 23 2013 5:50PM<BR /> <BR /> For my knowledge different slices are used for different things,<BR /> in youre case X670 has 10 slices and sum of 10 slices rules is 2048. <BR /> <BR /> You have in use:<BR /> Stage: INGRESS<BR /> Slices: Used: 9 Available: 1<BR /> <BR /> I don't know your config and ACL's, <BR /> but "Error: ACL install operation failed - slice hardware full for vlan Curriculum_Server, port *" could mean:<BR /> <BR /> 1) That some functions need for it own use slices and cannot share it with others<BR /> <BR /> You can check that when you remove some of ACL's, <BR /> then show access-list usage acl-slice port 1 what sliceses are free.<BR /> And then add this accesslist C_S, then check slices usage<BR /> <BR /> 2) Sometimes the solution is to write acl's in file in a different order or/and<BR /> add policy it in diffrent order.<BR /> <BR /> I had some time ago similar problem with X250e I don't remeber in what soft that was.<BR /> When the switch reboot it add some acl policy for vlans then add ip-security things like dhp-snooping <BR /> and arpvalidation. In logs I saw ACL install operation failed ...<BR /> But when I removed all ACL's, and first add ip-security things then the ACL for vlan <BR /> it works with no error.<BR /> <BR /> 3) Maybe a firmware bug ? What firmware you have ?<BR /> <BR /> --<BR /> Jarek<BR /> <BR /> (from Jaroslaw_Kasjaniuk) Wed, 08 Jan 2014 06:04:00 GMT EtherNation_Use 2014-01-08T06:04:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28209#M4291 Create Date: Aug 23 2013 12:39PM<BR /> <BR /> hi<BR /> <BR /> i am trying to put acls on our core switch to prevent access between certain vlans. but run out of slices quickly.<BR /> <BR /> i don't understand slices or how it is calculated???<BR /> <BR /> * X670-48x.9 # show access-list usage acl-slice port 1<BR /> Ports 1-48<BR /> Stage: INGRESS<BR /> Slices: Used: 9 Available: 1<BR /> Slice 0 Rules: Used: 0 Available: 128<BR /> Slice 1 Rules: Used: 3 Available: 125 user/other<BR /> Slice 2 Rules: Used: 20 Available: 108 system<BR /> Slice 3 Rules: Used: 6 Available: 122 system<BR /> Slice 4 Rules: Used: 3 Available: 253 user/other<BR /> Slice 5 Rules: Used: 6 Available: 250 user/other<BR /> Slice 6 Rules: Used: 3 Available: 253 user/other<BR /> Slice 7 Rules: Used: 6 Available: 250 user/other<BR /> Slice 8 Rules: Used: 3 Available: 253 user/other<BR /> Slice 9 Rules: Used: 8 Available: 248 user/other<BR /> Stage: EGRESS<BR /> Slices: Used: 0 Available: 4<BR /> Slice 0 Rules: Used: 0 Available: 256<BR /> Slice 1 Rules: Used: 0 Available: 256<BR /> Slice 2 Rules: Used: 0 Available: 256<BR /> Slice 3 Rules: Used: 0 Available: 256<BR /> Stage: LOOKUP<BR /> Slices: Used: 1 Available: 3<BR /> Slice 0 Rules: Used: 0 Available: 256<BR /> Slice 1 Rules: Used: 0 Available: 256<BR /> Slice 2 Rules: Used: 0 Available: 256<BR /> Slice 3 Rules: Used: 49 Available: 207<BR /> Stage: EXTERNAL<BR /> Slices: Used: 0 Available: 0<BR /> * X670-48x.10 #<BR /> (from Conrad_Jones) Wed, 08 Jan 2014 06:04:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28209#M4291 EtherNation_Use 2014-01-08T06:04:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28210#M4292 Create Date: Aug 23 2013 12:58PM<BR /> <BR /> Hi, <BR /> <BR /> I think you can find answer to your question in concept guide:<BR /> Chapter ACL -&gt; ACL Mechanisms - 681 <BR /> <BR /> Jarek (from Jaroslaw_Kasjaniuk) Wed, 08 Jan 2014 06:04:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28210#M4292 EtherNation_Use 2014-01-08T06:04:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28211#M4293 Create Date: Aug 23 2013 1:08PM<BR /> <BR /> Vlan Name Port Policy Name Dir Rules Dyn Rules<BR /> ===================================================================<BR /> Internet * Internet ingress 9 0<BR /> dmz * DMZ ingress 9 0<BR /> dmz 1 ingress 0 2<BR /> dmz 2 ingress 0 2<BR /> dmz 3 ingress 0 2<BR /> dmz 45 ingress 0 2<BR /> dmz 46 ingress 0 2<BR /> dmz 47 ingress 0 2<BR /> dmz 48 ingress 0 2<BR /> Admin_Server * A_S ingress 9 0<BR /> <BR /> * X670-48x.2 # configure access-list C_S vlan Curriculum<BR /> <VLANNAME> vlan name<BR /> "Curriculum" "Curriculum_PC" "Curriculum_Printer" "Curriculum_Server"<BR /> * X670-48x.2 # configure access-list C_S vlan "Curriculum_Server"<BR /> <BR /> Error: ACL install operation failed - slice hardware full for vlan Curriculum_Se<BR /> rver, port *<BR /> * X670-48x.3 #<BR /> <BR /> <BR /> <BR /> Apologies i have read that, i don't think I'm approaching any where near 2048 ingress rules.<BR /> <BR /> Each group of 48 ports has 10 slices; the first 4 (0-3) slices hold 128 ingress rules each, and the last<BR /> 6 (4-9) slices hold 256 ingress rules each, which adds up to 2048 ingress rules.<BR /> <BR /> (from Conrad_Jones)</VLANNAME> Wed, 08 Jan 2014 06:04:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28211#M4293 EtherNation_Use 2014-01-08T06:04:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28212#M4294 Create Date: Aug 23 2013 5:50PM<BR /> <BR /> For my knowledge different slices are used for different things,<BR /> in youre case X670 has 10 slices and sum of 10 slices rules is 2048. <BR /> <BR /> You have in use:<BR /> Stage: INGRESS<BR /> Slices: Used: 9 Available: 1<BR /> <BR /> I don't know your config and ACL's, <BR /> but "Error: ACL install operation failed - slice hardware full for vlan Curriculum_Server, port *" could mean:<BR /> <BR /> 1) That some functions need for it own use slices and cannot share it with others<BR /> <BR /> You can check that when you remove some of ACL's, <BR /> then show access-list usage acl-slice port 1 what sliceses are free.<BR /> And then add this accesslist C_S, then check slices usage<BR /> <BR /> 2) Sometimes the solution is to write acl's in file in a different order or/and<BR /> add policy it in diffrent order.<BR /> <BR /> I had some time ago similar problem with X250e I don't remeber in what soft that was.<BR /> When the switch reboot it add some acl policy for vlans then add ip-security things like dhp-snooping <BR /> and arpvalidation. In logs I saw ACL install operation failed ...<BR /> But when I removed all ACL's, and first add ip-security things then the ACL for vlan <BR /> it works with no error.<BR /> <BR /> 3) Maybe a firmware bug ? What firmware you have ?<BR /> <BR /> --<BR /> Jarek<BR /> <BR /> (from Jaroslaw_Kasjaniuk) Wed, 08 Jan 2014 06:04:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28212#M4294 EtherNation_Use 2014-01-08T06:04:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28213#M4295 Create Date: Aug 23 2013 6:54PM<BR /> <BR /> i've got loads of VRRP going on on that switch and some dhcp snooping but the way i read the pdf they used the system slice not the user/other ? not sure here though<BR /> <BR /> firmware, i updated today to the latest xos and it didn't make a difference, i will check firmware versions on tuesday as i have left the site now. <BR /> <BR /> i may backup the config and try reseting the whole switch though i'd rather not  (from Conrad_Jones) Wed, 08 Jan 2014 06:04:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-slices/m-p/28213#M4295 EtherNation_Use 2014-01-08T06:04:00Z