G/C/B-Series f/w 6.61 ACL vs Policy Compatibility Guidelines

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 14999 

Products
G-Series, firmware 6.61.02.0007 and higher
C5-Series, firmware 6.51.02.0018 and higher
C3-Series, firmware 6.61.02.0007 and higher
B5-Series, firmware 6.51.02.0018 and higher
B3-Series, firmware 6.61.02.0007 and higher 

Symptoms
When attempting to add an access-list (ACL) after Policy has been configured, the CLI editor issues error
policy is already configured on the device, please clear the policy to
configure ACL
When attempting to configure Policy after an access-list (ACL) has been configured, the CLI editor issues error
Error, access list is configured.
When attempting to enforce Policy after an access-list (ACL) has been configured, NetSight Policy Manager issues error
Error : SNMP Error: Commit Failed (14).
Cause
With the above-stated products and firmware, IPv6 and MAC based ACLs are supported - but these use the same hardware resources as does Policy. 

Release notes state, in the 'What's New' section:
Access Control Lists - Added support for IPv6 and MAC based ACLs. Added
queue assignment action to ACLs. Note: ACLs are not supported
simultaneously with Policy.
The CLI Guide states, in the 'Configuring Access Control Lists' chapter:
IPv6 and MAC ACL Considerations
In order to configure IPv6 or MAC ACLs, the switch must be put into
access list "ipv6mode" with the access-list ipv6mode command. By
default, this mode is disabled and the rule limits for standard and
extended IPv4 ACLs remain unchanged.
When ipv6mode is disabled ["no access-list ipv6mode"], IPv6 and MAC ACLs
cannot be configured, and any existing IPv6 and MAC ACLs are removed
from the configuration. This new mode cannot be enabled if Policy is
configured on the switch, and Policy configurations will not be accepted
when the switch is in ipv6mode.
When ipv6mode is enabled or disabled, a system reset is required to
change the mode. The configuration of ipv6mode is persistent and is
shown in the running configuration.
With these error messages, the system is enforcing an IPv4/IPv6 ACL vs Policy incompatibility. 

Solution
Upgrade to firmware 6.61.08.0013 or higher (14480).
The system will now enforce only an IPv6 ACL vs Policy incompatibility. 

When attempting to issue the 'access-list ipv6mode' command after Policy has been configured, the CLI editor issues error
policy is already configured on the device, please clear the policy to configure ACL
When attempting to configure Policy after the 'access-list ipv6mode' command has been issued, the CLI editor issues error
Error, access list ipv6mode is enabled.
When attempting to enforce Policy after the 'access-list ipv6mode' command has been issued, NetSight Policy Manager issues error
Error : SNMP Error: Commit Failed (14).
Release notes state, in the 'Changes and Enhancements in 6.61.08.0013' section:
18198  With the introduction of IPv6 ACLs, Policy and ACLs were
prevented from being configured simultaneously. Policy configuration is
now prevented only in "ipv6mode". These features use the same hardware
resources and administrators are not guaranteed to reach published
resource limits.
Release notes state, in the 'Known Issues From Previous Releases' section:
ACLs
Access Control Lists (ACLs) use the same hardware resources as Policy
rules and should not be used simultaneously with Policy.
IPv6
Enabling IPv6 and MAC ACLs with the "access-list ipv6mode" will reduce
the total number of standard ACL rules currently supported. It will also
prevent the use of Policy.
Release notes also state the design limits for ACL Capacities (with and without the use of ipv6mode) and for Policy Capacities.
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.