Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution

Policy statement contents vanish after reload

This thread has been viewed 1 times
  • 1.  Policy statement contents vanish after reload

    MVP EXPERT
    Posted May 23, 2023 06:07 AM

    Hi,
    Got a 2930 switch with the following

    class ipv4 "DNS"
         10 match udp 0.0.0.0 255.255.255.255 192.168.1.152 0.0.0.0 eq 53
         20 match udp 0.0.0.0 255.255.255.255 192.168.2.4 0.0.0.0 eq 53
         30 match udp 0.0.0.0 255.255.255.255 192.168.1.88 0.0.0.0 eq 53
       exit
    class ipv4 "DHCP"
         10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
       exit
    class ipv4 "ICMP"
         10 match icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit
         10 class ipv4 "DNS" action permit
         10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
       exit
    class ipv4 "Permit-All"
         10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.25.255
       exit
    policy user "AllowAll"
         10 class ipv4 "DNS" action permit
         20 class ipv4 "DHCP" action permit
         30 class ipv4 "ICMP" action permit
         40 class ipv4 "Permit-All" action permit
       exit

    and then 

    aaa authorization user-role name "mydevices"
       policy "AllowAll"
       reauth-period 3600
       vlan-name "mydevices"
       exit

    and finally 

    aaa port-access 8 controlled-direction in
    aaa port-access 8 auth-order authenticator mac-based
    aaa port-access 8 auth-priority authenticator mac-based
    aaa port-access 8 critical-auth user-role "mydevices"
    aaa port-access 8 initial-role "mydevices"

    Everything works just fine.  with the above ..... until i reboot the switch then the  policy user "AllowAll statement loses all its contents  and  switch starts complaining about  invalid local user roles.

    This seems to happen on  WC.16.10.212 and  WC.16.11.11 .... but annoyingly not every time I reboot the switch. Sometimes it works and the policy contents are there after the  reboot and sometimes they aren't

    Anyone seen this ?

    time for a TAC case methinks 

    A