This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACLs on X440-48t

ACLs on X440-48t

EtherNation_Use
Contributor II

‎01-07-2014 09:54 PM

Create Date: Aug 22 2012 10:13AM

Hey all,
I'm new to Extreme switches, so please bear with me here. I'm trying to apply an ACL on our new X440 switch. Basically what I'm trying to do is this: We have multiple "tenants" each of which has their own VLAN. I'm trying to prevent "Tenant_A" on VLAN 101 from accessing "Tenant_B", "Tenant_C", "Tenant_D", etc on VLANs 102, 103, 104, etc.

To start I created a policy file that looks like this called "Test1":
code:
entry ex_A {
code:
code:
if {
code:
code:
source-address 172.17.102.0/24 ;
code:
code:
destination-address 172.17.101.0/24 ;
code:
code:
} then {
code:
code:
deny ;
code:
code:
}
code:
}

Whenever I run the command to apply it:
code:
con access Test1 vlan Tenant_A
or
code:
con access Test1 vlan Client-IARS ingress
I always wind up with this error as a result:
code:
Error: ACL install operation failed - slice hardware full for vlan Tenant_A, port *

I've set "Tenant_A" vlan to be tagged on ports 1-4, if I run:
code:
show access-list usage acl-slice port 1
this is what I see:
code:
Ports 1-24
code:
Stage: INGRESS
code:
Slices:          Used: 4  Available: 0
code:
Slice 0 Rules:   Used: 12  Available: 244 system
code:
Slice 1 Rules:   Used: 2  Available: 254 system
code:
Slice 2 Rules:   Used: 2  Available: 254 system
code:
Slice 3 Rules:   Used: 2  Available: 254 system
code:
Stage: EGRESS
code:
Slices:          Used: 0  Available: 0
code:
Stage: LOOKUP
code:
Slices:          Used: 0  Available: 0
code:
Stage: EXTERNAL
code:
Slices:          Used: 0  Available: 0
Can anyone help?
--
jason shiflet (from Jason_Shiflet)
0 Kudos
3 REPLIES 3

EtherNation_Use
Contributor II

‎01-07-2014 09:54 PM

Create Date: Aug 23 2012 2:01PM

What EXOS do you use ?
Do you have any ip-security options enabled (' sh access-list dynamic') ?
Can you check 'show access-list usage acl-slice port 1' when the switch has default config ('unconfigure switch all') ?

--
Jarek (from Jaroslaw_Kasjaniuk)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 09:54 PM

Create Date: Aug 23 2012 9:06AM

Hi Jarek,
That's the thing...I've basically wiped the switch clean of configs. It's brand new and I'm trying to create an ACL for the first time.

--
jason (from Jason_Shiflet)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 09:54 PM

Create Date: Aug 23 2012 2:39AM

Hi jshiflet,

as you can see "Slices: Used: 4 Available: 0 <-", you don't have avaiable slices.
You can try optimize the other ACL's.

Can you show what other ACL's have you applied ?

--
Jarek
(from Jaroslaw_Kasjaniuk)
0 Kudos
GTM-P2G8KFN