This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error: ACL install operation failed - filter hardware full for vlan *, port 1:5

Error: ACL install operation failed - filter hardware full for vlan *, port 1:5

Anonymous
Not applicable

‎09-17-2015 06:59 AM

Hi,

Do you know any reason why I am getting this error whenever I try to apply the ACL on egress?

I've tried creating an ACL via a policy and dynamic, with and without logging but I get the same error each time, yet on ingress I can apply an ACL fine - am hitting some limitation on applying ACL on egress, or have my configuration wrong in some manner?

I have the following line in my config:

configure access-list vlan-acl-precedence shared

Which is meant to fix this issue?
https://extremeportal.force.com/ExtrArticleDetail?an=000063193

Creation and application of dynamic ACL:

create access-list Debug-Port-Egress " source-address 0.0.0.0/0 ;" " permit ; log ; mirror-cpu ; count Debug-Port-Egress ;" application "Cli"

configure access-list add "Debug-Port-Egress" first ports 1:5 egress
Error: ACL install operation failed - filter hardware full for vlan *, port 1:5

Creation and application of ACL through policy:

With logging:

entry Debug-Port-egress {
if match all {
source-address 0.0.0.0/0;
} then {
permit ;
log ;
mirror-cpu ;
count Debug-Port-Ingress ;
}
}

And without logging

entry Debug-Port-egress {
if match all {
source-address 0.0.0.0/0;
} then {
permit ;
}
}



configure access-list Debug-Port-Egress ports 1:5 egress

Error: ACL install operation failed - filter hardware full for vlan *, port 1:5

And show commands that you might find useful:

Stack 1.41 # show access-list configuration
Access-list Refresh Blackhole: Enabled
Access-list Permit To-CPU: Enabled

Access-list configured vlan-acl-precedence mode: Shared
Access-list operational vlan-acl-precedence mode: Shared
Access-list Rule-compression Port-counters: Dedicated

Stack 1.40 # show access-list usage acl-slice port 1:5
Ports 1:1-1:24
Stage: INGRESS
Slices: Used: 2 Available: 2
Slice 0 Rules: Used: 0 Available: 0
Slice 1 Rules: Used: 0 Available: 0
Slice 2 Rules: Used: 17 Available: 239 system
Slice 3 Rules: Used: 70 Available: 186 user/other
Stage: EGRESS
Slices: Used: 0 Available: 0
Stage: LOOKUP
Slices: Used: 0 Available: 0
Stage: EXTERNAL
Slices: Used: 0 Available: 0

Stack 1.39 # show access-list dynamic
Dynamic Rules: ((*)- Rule is non-permanent )

Debug-Port-Egress Bound to 0 interfaces for application Cli
Debug-Port-Ingress Bound to 1 interfaces for application Cli
(*)hclag_arp_2_4_96_82_46_c1 Bound to 0 interfaces for application HealthCheckLAG
(*)idmgmt_def_blacklist Bound to 0 interfaces for application IdentityManager
(*)idmgmt_def_whitelist Bound to 0 interfaces for application IdentityManager

Switch is a stack of 4 x X440, running version 15.5.4.2 patch 1-5

Many thanks in advance

0 Kudos
2 REPLIES 2

Anonymous
Not applicable

‎09-17-2015 07:21 AM

Oh, ok, thanks Oscar, that explains that nicely then 🙂

0 Kudos

OscarK
Extreme Employee

‎09-17-2015 07:06 AM

Hello Martin,

as you can see in show access-list usage acl-slice the X440 does not have egress slices available (0).
From the manual the X440 is not listed as being capable to do egress ACL:
egress
Apply the ACL to packets leaving the switch from this interface.(BlackDiamond X8 series switches, BlackDiamond 8000 c-, xl-, xm-series
modules, E4G-200 and E4G-400 switches, and Summit X460, X460-G2, X480, X670, X670-G2, and X770 switches only).
0 Kudos
GTM-P2G8KFN