Why are "Extended, standard, eth and mac type ACLs" not being pushed to local controllers from the master ?
This is by design.
Session ACLs are ‘global’ configuration and therefore come from the master. Extended, mac, eth and standard ACLs are local configuration so are allowed on the locals, therefore not synced from the master. Following could be reasons for this design:
- Although some of these locally configured ACLs can be referred to in the global configurations like user-roles, the definitions of these local ACLs may need to be tailor-made for specific locals depending on the deployment. Otherwise it will require defining separate ACLs on the master for each of the locals.
- Extended, standard, eth and mac ACLs can be applied on vlan and port interfaces and the requirements for interface-based ACLs could vary on different locals. This configuration may require local-admin control, to not allow overrides from the global configuration or if local-admins do not have access to the master.
However now in SC, there is no such separation of global and local configuration and all types of ACLs can be configured on the master since we support config hierarchy.