HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

acl applying problem in layer 3 switch 4500

 
snavuluri
Occasional Advisor

acl applying problem in layer 3 switch 4500

[SwRtr_4500-26]packet-filter vlan 4 outbound ip-group 3011
 Applying Acl 3011 rule 11 failed!  Reason: Resource unavailable!(Ethernet1/0/1)
 Applying Acl 3011 rule 11 failed!  Reason: Resource unavailable!(Ethernet1/0/19
)
 Applying Acl 3011 rule 11 failed!  Reason: Resource unavailable!(Ethernet1/0/20
)
 Applying Acl 3011 rule 11 failed!  Reason: Resource unavailable!(Ethernet1/0/21
)
 Applying Acl 3011 rule 11 failed!  Reason: Resource unavailable!(Ethernet1/0/22
)
 Applying Acl 3011 rule 11 failed!  Reason: Resource unavailable!(Ethernet1/0/23
)
 Applying Acl 3011 rule 11 failed!  Reason: Resource unavailable!(Ethernet1/0/24
)
 Applying Acl 3011 rule 11 failed!  Reason: Resource unavailable!(GigabitEtherne
t1/0/25)
 Applying Acl 3011 rule 8 failed!  Reason: Resource unavailable!(GigabitEthernet
1/0/26)
 Applying Acl 3011 rule 9 failed!  Reason: Resource unavailable!(GigabitEthernet
1/0/26)
 Applying Acl 3011 rule 10 failed!  Reason: Resource unavailable!(GigabitEtherne
t1/0/26)
 Applying Acl 3011 rule 11 failed!  Reason: Resource unavailable!(GigabitEtherne
t1/0/26)

 

P.S. This thread has been moved from ProCurve / ProVision-Based to Comware-Based. -HP Forum Moderator

9 REPLIES
richardkok
Frequent Advisor

Re: acl applying problem in layer 3 switch 4500

What is the outcome of:

display drv-module qacl qacl_resource ?
snavuluri
Occasional Advisor

Re: acl applying problem in layer 3 switch 4500

[4500]display drv qacl_resource
        block   used-mask  used-rule spare-mask  spare-rule
         0         16                      65                0                   191
         1         11                      56                5                   200
         2         11                      56                5                   200
         6         10                      27                6                   101
         7         10                      27                6                   101
         8         10                      27                6                   101
         9         10                      27                6                   101

richardkok
Frequent Advisor

Re: acl applying problem in layer 3 switch 4500

Well i am no 3com/HP expert but It seems that your ACL's are using more resources then your switch can handle. As you can see BLOCK 0 has a spare-mask value of 0. How does this work?

 

Block 0 is used by FE ports 1/0/1 to 1/0/8

Block 1 is used by FE ports 1/0/9 to 1/0/16

Block 2 is used by FE ports 1/0/17 to 1/0/24

Block 6 is used by GE port 1/0/25

Block 7 is used by GE port 1/0/26

Block 8 is used by GE port 1/0/27

Block 9 is used by GE port 1/0/28

 

This means port 1 to 8 can not be configured by acl's that use mask values (seems you are using one in acl nr 3011 rule11 on e 1/0/1).......well you get the picture for the other error messages..

So what to do ? you can take a look to lower the number of ACL's or you'll have to buy a switch that can handle more acl's (the 5500 also uses 16 masks and 256 rules maximum)..Maybe an HP guy can tell you which one you need

 

hope it helps

richard

snavuluri
Occasional Advisor

Re: acl applying problem in layer 3 switch 4500

Could you pls explain with example what is used_mask ?

richardkok
Frequent Advisor

Re: acl applying problem in layer 3 switch 4500

can you post rule 11 of acl 3011 ?

snavuluri
Occasional Advisor

Re: acl applying problem in layer 3 switch 4500

rule 11 permit icmp

richardkok
Frequent Advisor

Re: acl applying problem in layer 3 switch 4500

rule 11 permit icmp actually converts to rule 11 permit any any

 

From URL below : The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any".

 

This is called a mask. You can read more here :

 

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

 

regards

richard

snavuluri
Occasional Advisor

Re: acl applying problem in layer 3 switch 4500

you mean to say wild card mask?

richardkok
Frequent Advisor

Re: acl applying problem in layer 3 switch 4500

yups