Unsolved
This post is more than 5 years old
43 Posts
0
18532
which TCAM resource am I filling with this mac ACL?
If I take a clean 6248 v3.2.0.7 (clear config, copy run start, reload), and apply the mac-acl below, I am unable to apply it to an interface. I get the dreaded "Error processing ACL" message. Unless my counting is off, this is not 127 ACEs. I am able to do this with about 5 ACEs, but not 10+.
vlan database
vlan 2-16,2000-2014
exit
int eth 1/xg3
switchport mode trunk
switchport trunk allowed vlan add 2-16,2000-2014
exit
mac access-list extended sniffer
permit any any vlan eq 2 mirror 1/g2
permit any any vlan eq 3 mirror 1/g3
permit any any vlan eq 4 mirror 1/g4
permit any any vlan eq 5 mirror 1/g5
permit any any vlan eq 6 mirror 1/g6
permit any any vlan eq 7 mirror 1/g7
permit any any vlan eq 8 mirror 1/g8
permit any any vlan eq 9 mirror 1/g9
permit any any vlan eq 10 mirror 1/g10
permit any any vlan eq 11 mirror 1/g11
permit any any vlan eq 12 mirror 1/g12
permit any any vlan eq 13 mirror 1/g13
permit any any vlan eq 14 mirror 1/g14
permit any any vlan eq 15 mirror 1/g15
permit any any vlan eq 16 mirror 1/g16
permit any any vlan eq 2000 mirror 1/g20
permit any any vlan eq 2001 mirror 1/g21
permit any any vlan eq 2002 mirror 1/g22
permit any any vlan eq 2003 mirror 1/g23
permit any any vlan eq 2004 mirror 1/g24
permit any any vlan eq 2005 mirror 1/g25
permit any any vlan eq 2006 mirror 1/g26
permit any any vlan eq 2007 mirror 1/g27
permit any any vlan eq 2008 mirror 1/g28
permit any any vlan eq 2009 mirror 1/g29
permit any any vlan eq 2010 mirror 1/g30
permit any any vlan eq 2011 mirror 1/g31
permit any any vlan eq 2012 mirror 1/g32
permit any any vlan eq 2013 mirror 1/g33
permit any any vlan eq 2014 mirror 1/g34
exit
interface ethernet 1/xg3
mac access-group sniffer in 1
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
January 14th, 2013 08:00
One of the easiest things that can help the switch run smooth, is ensuring the firmware is up to date.
3.3.5.5 is the most current.
www.dell.com/.../powerconnect-6224
Does the number of ACEs you can add change if you remove the mirror option? Perhaps the mirror option is taking up a lot of resources.
Do we get any error messages if we try and make and apply a second ACL with the additional ACEs.
So first ACL would be for VLANs 2-12, then a second for 13-16 & 2000-2005, etc. See if we get the same error messages.
I will continue to do some research on this and if I find anything else will chime back in.
Thanks.
speedcolo
43 Posts
0
January 14th, 2013 20:00
Thanks, Daniel. My application is that I'd like to take a mirror port from another device, with multiple VLANs; and send each VLAN out a different 1gig port to a different IDS. So I need the "mirror" keyword.
The Mirror port is connected to 1/xg3.
The following works, spanning vlan 1002 traffic to 1/g1, and v2000 traffic to 1/g2.
Traffic is sent out ports 1 & 2 with no tags. No vlans are defined in vlans database.
mac access-list extended v1002
permit any any vlan eq 1002 mirror 1/g1
exit
mac access-list extended v2000
permit any any vlan eq 2000 mirror 1/g2
exit
!
mac access-list extended denyAll
deny any any
exit
!
interface ethernet 1/xg3
mac access-group v1002 in 1002
mac access-group v2000 in 2000
!
interface ethernet 1/g1
mac access-group denyAll in 1
exit
interface ethernet 1/g2
mac access-group denyAll in 1
exit
…and this works, spanning both vlans to 1/g1. Again, no dot1q tags on egress traffic:
mac access-list extended v1002
permit any any vlan eq 1002 mirror 1/g1
exit
mac access-list extended v2000
permit any any vlan eq 2000 mirror 1/g1
exit
!
interface ethernet 1/xg3
mac access-group v1002 in 1
mac access-group v2000 in 2
I tested adding multiple mac access-groups to interface 1/xg3, and got to about 5 before the PowerConnect started throwing "Error processing ACL" messages. So then I tried a single mac access-group with multiple lines, and again, could not define very many.
BTW, I noticed that if one mac access-list mirrored a vlan to (say) port 1/g1, and a higher-numbered mac access-list on the same port tried to mirror the same vlan to 1/g2, 1/g2 did not see the traffic. So I suspect that once traffic matches a mac access-group line on an interface, the packet is not processed further.
I haven't given up yet!
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
January 16th, 2013 11:00
I am thinking it may be a resources issue, to help confirm this we should try the following. Make the ACL with the Max number of ACEs we were able to get it to accept without getting the error message. Then run the following show commands to see what our resource usage is at.
console#show process cpu
console#show memory cpu
console#show interfaces counters
Thanks