Reset Search
 

 

Article

When IPv6 rules are added to an existing ACL having IPv4 rules, refresh policy errors out with no explanation

« Go Back

Information

 
TitleWhen IPv6 rules are added to an existing ACL having IPv4 rules, refresh policy errors out with no explanation
Symptoms
- ACL with IPv4 rules is implemented without any problems.
- Add IPv6 rules to the existing ACL having source and destination addresses in the rule.
- Refresh the policy.
- Refresh will fail with an error but there is no explanation.
* X480-48x(10G4X).14 # refresh policy Switch-ACL
Incremental refresh is not possible for policies with IPV6 rules.
Note, the current setting for Access-list Refresh Blackhole is Enabled.
Would you like to perform a full refresh? [No]? (y/N) Yes
 
Error:                              >>> no description provided for the error <<<

NOTE: Log section does show that ACL is incompatible. 
* X480-48x.15 # sh log
10/17/2018 10:49:42.44 <Warn:ACL.Policy.RfrshFail> Refresh failed for policy Switch-ACL -
10/17/2018 10:49:42.40 <Erro:HAL.IPv4ACL.Error> ACL refresh failed - updated policy has not taken effect
10/17/2018 10:49:42.40 <Erro:HAL.IPv4ACL.Error> EXOS application attempting to install incompatible ACL: filter vlan *, port 25 (rule "line_2500", index 9)
 
Environment
  • Summit and Black Diamond
  • EXOS All
Cause
IPv6 rules used in the ACL with source and destination address require double width ACL configuration. By default, ACL configuration is set to single width which supports 181-bits length. Under double width configuration, 362-bit length is supported.
Resolution
Change the ACL width configuration to 'Double' and ACL will be applied without any errors. 
  • Configure access-list width double             
Note: A reboot is required for the configuration to take affect.
  •  X480-48x(10G4X).9 # show access-list width
    Slot  Type              Width (Configured)
    ----  ----------------  ---------------------
    1     X480-48x(10G4X)   Double
     
  • Apply/Configure ACL after the reboot works fine. 
Additional notes
Engineering has assigned a CR xos0073409 to update the error which is showing up blank. This software defect will be scoped and fixed in upcoming EXOS releases.

Note: The error message does not have any details only when refreshing the policy that is already applied. Any new ACL with the incompatible ACL rules (requiring double width) will show following error message.

* X480-48t(10G4X).27 # configure access-list test ports 2
Error: ACL install operation failed - filter hardware full for vlan *, port 2

 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255