This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- ACL installation problem on x670 - XOS 15.5.3.4
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ACL installation problem on x670 - XOS 15.5.3.4
ACL installation problem on x670 - XOS 15.5.3.4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-20-2016 09:02 AM
Hi,
I'm facing a problem with two X670-48x in version 15.5.3.4 when I try to install an ACL on an egress port.
Here is the content of the policy file :
entry NO-DHCP-SR1-SR2-01 {
if match all {
vlan-id 443 ;
protocol udp ;
destination-port bootps ;
ethernet-destination-address ff:ff:ff:ff:ff:ff ;
} then {
deny ;
count BROADDHCP443;
}
}
When I try to install the ACL I get this error :
SRX.14 # configure access-list INTER-ROUTERS ports 2 egress
Error: ACL install operation failed - filter hardware full for vlan *, port 2
Months ago, I upgraded the swith from 15.2.2.7 to 15.5.3.4, so I thought I match the symptoms described herre : https://extremeportal.force.com/ExtrArticleDetail?an=000077652
I have follow the instructions and changed the access-list configuration, saved the configuration and then reboot the switch but I'm still having the same error message.
Here is an extract of the log when trying to apply the ACL :
01/19/2016 07:57:07.88 Policy:unBind:INTER-ROUTERS:vlan:*:port:*:
01/19/2016 07:57:07.88 Policy:unBind:INTER-ROUTERS:vlan:*:port:2:
01/19/2016 07:57:07.88 EXOS application attempting to install incompatible ACL: filter vlan *, port 2 (rule "NO-DHCP-SR1-SR2-01", index 1)
01/19/2016 07:57:07.87 Loaded Policy: INTER-ROUTERS number of entries 1
01/19/2016 07:57:07.87 Loading policy INTER-ROUTERS from file /config/INTER-ROUTERS.pol
01/19/2016 07:50:55.75 Policy:unBind:INTER-ROUTERS:vlan:*:port:*:
01/19/2016 07:50:55.75 Policy:unBind:INTER-ROUTERS:vlan:*:port:2:
01/19/2016 07:50:55.75 EXOS application attempting to install incompatible ACL: filter vlan *, port 2 (rule "NO-DHCP-SR1-SR2-01", index 1)
01/19/2016 07:50:55.74 Loaded Policy: INTER-ROUTERS number of entries 1
01/19/2016 07:50:55.74 Loading policy INTER-ROUTERS from file /config/INTER-ROUTERS.pol
Have you any idea about what's wrong with this ?
Regards,
Romain M.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-21-2016 07:44 AM
Hi Jarek and Brandon,
Thank you for your helpful answers !
I forgot the limitation on match condition combnation. I replaced the ethernet-destination-address by destination-address 255.255.255.255/32.
The goal of this rule is to deny broadcasted DHCP request between two X670. The two devices have a bootprelay configuration for the vlan-id 443 and I want only the first device receiving the request to relay it and not the both of them.
Changing the combination makes it possible to install the policy !
In addition, here is the answer for you Brandon :
SRX.5 # show access-list usage acl-slice port 2
Ports 1-48
Stage: INGRESS
Slices: Used: 9 Available: 1
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 12 Available: 116 system
Slice 2 Rules: Used: 1 Available: 127 IPv6 MC
Slice 3 Rules: Used: 2 Available: 126 system
Slice 4 Rules: Used: 2 Available: 254 system
Slice 5 Rules: Used: 2 Available: 254 user/other
Slice 6 Rules: Used: 4 Available: 252 user/other
Slice 7 Rules: Used: 32 Available: 224 user/other
Slice 8 Rules: Used: 2 Available: 254 user/other
Slice 9 Rules: Used: 9 Available: 247 user/other
Stage: EGRESS
Slices: Used: 1 Available: 3
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 0 Available: 0
Slice 2 Rules: Used: 0 Available: 0
Slice 3 Rules: Used: 79 Available: 177 user/other
Stage: LOOKUP
Slices: Used: 0 Available: 4
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 0 Available: 0
Slice 2 Rules: Used: 0 Available: 0
Slice 3 Rules: Used: 0 Available: 0
Stage: EXTERNAL
Slices: Used: 0 Available: 0
It works now.
Thank you.
Best regards,
Romain M.
Thank you for your helpful answers !
I forgot the limitation on match condition combnation. I replaced the ethernet-destination-address by destination-address 255.255.255.255/32.
The goal of this rule is to deny broadcasted DHCP request between two X670. The two devices have a bootprelay configuration for the vlan-id 443 and I want only the first device receiving the request to relay it and not the both of them.
Changing the combination makes it possible to install the policy !
In addition, here is the answer for you Brandon :
SRX.5 # show access-list usage acl-slice port 2
Ports 1-48
Stage: INGRESS
Slices: Used: 9 Available: 1
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 12 Available: 116 system
Slice 2 Rules: Used: 1 Available: 127 IPv6 MC
Slice 3 Rules: Used: 2 Available: 126 system
Slice 4 Rules: Used: 2 Available: 254 system
Slice 5 Rules: Used: 2 Available: 254 user/other
Slice 6 Rules: Used: 4 Available: 252 user/other
Slice 7 Rules: Used: 32 Available: 224 user/other
Slice 8 Rules: Used: 2 Available: 254 user/other
Slice 9 Rules: Used: 9 Available: 247 user/other
Stage: EGRESS
Slices: Used: 1 Available: 3
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 0 Available: 0
Slice 2 Rules: Used: 0 Available: 0
Slice 3 Rules: Used: 79 Available: 177 user/other
Stage: LOOKUP
Slices: Used: 0 Available: 4
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 0 Available: 0
Slice 2 Rules: Used: 0 Available: 0
Slice 3 Rules: Used: 0 Available: 0
Stage: EXTERNAL
Slices: Used: 0 Available: 0
It works now.
Thank you.
Best regards,
Romain M.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-20-2016 07:53 PM
Hi Romain,
In addition to what Jarek mentioned, can you get the output of 'show access-list usage acl-slice port 2'?
This will let us see if there are hardware resources available for the ACL to be installed on the port.
-Brandon
In addition to what Jarek mentioned, can you get the output of 'show access-list usage acl-slice port 2'?
This will let us see if there are hardware resources available for the ACL to be installed on the port.
-Brandon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-20-2016 09:49 AM
Hi,
you can not mix field selectors that you have in ACL.
For egress you can do (from user guide) :
Following is the table of the available combinations:
• Combination 1:
• Combination 2:
• Combination 3:
, source-address,
protocol>
Can you write what do you want to achieve with that ACL ?
--
Jarek
you can not mix field selectors that you have in ACL.
For egress you can do (from user guide) :
Following is the table of the available combinations:
• Combination 1:
• Combination 2:
• Combination 3:
protocol>
Can you write what do you want to achieve with that ACL ?
--
Jarek
