Wired Intelligent Edge (Campus Switching and Routing)

Reply
Contributor II

AOS-CX 10.03+ VLAN Access-List << "NO" confusion

2 Questions located @ End of POST >>>

 

Original 8320 CLI snippet sample setup:

!

ACCESS-LIST IP MY-VLAN-ACL-100

10 comment NO test vlan-100

20 permit any any any count

exit

!

vlan 100

name TEST-VLAN-100
description Why NO pulls VLAN entry

apply ACCESS-LIST IP MY-VLAN-ACL-100 in

exit

#

#

Original 8320 CLI snippet sample setup using the NO parameter within GLOBAL CONFIGURATION CONTEXT:

.

NO ACCESS-LIST IP MY-VLAN-ACL-100

 

REMOVES >>> ALL of the ACCESS-LIST IP MY-VLAN-ACL-100 ACL/ACEs.

 

AND the "apply ACCESS-LIST IP MY-VLAN-ACL-100 in" from VLAN 100.

 

vlan 100

name TEST-VLAN-100
description Why NO pulls VLAN entry

exit

 

QUESTIONS:

Is this a feature or a bug?

 

Is there a work-around so I can recreate the entire ACL-100 without having the VLAN 100 "apply ACCESS-LIST IP MY-VLAN-ACL-100 in" auto-magically DELETED ??

 

Thanks in advance !!

 

 

Highlighted

Re: AOS-CX 10.03+ VLAN Access-List << "NO" confusion

This is not a bug.

When you delete an ACL, deletion will remove as well the ACL from the interface or VLAN it is applied to.

If you need to maintain the ACL on VLAN, then you can modify the ACL instead of deleting and re-creating the ACL.

Enter the ACL context and remove/insert ACL sequences according to the needed modification.

Contributor II

Re: AOS-CX 10.03+ VLAN Access-List << "NO" confusion

The ACL interface delete was a BIG surprise to me.  My experience with HPE Provision caused me to assume the ACL "assignment" would be retained for security or purposes.  We were vulnerable for several days.

 

Thanks again for your quick help !!!

 

Cheers

Re: AOS-CX 10.03+ VLAN Access-List << "NO" confusion

You can run 

show access-list commands

or

show access-list

to make sure ACLs are properly in place after modification.

 

NetEdit brings here a lot of value and help for change validation to highlight before/after the change and avoid such unexpected situation.

Thanks.

MVP Expert

Re: AOS-CX 10.03+ VLAN Access-List << "NO" confusion

an enhance will be to say, it is already use, i cann't remove the ACL :-)

 




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
MVP Expert

Re: AOS-CX 10.03+ VLAN Access-List << "NO" confusion

Throw out a specific warming message with a mandatory user confirmation (to proceed or not) would eventually be of help...but, if the warning approach is the desired one (so following the same line of reasoning), the same approach should be applied to any operation that removing an object will automatically remove any reference of it in any part of the running configuration where that object was used/referenced (question: what happen if I globally remove a VLAN id for which there are interfaces that are member of? will AOS-CX warn me that those interfaces are going to lose that VLAN id or simply AOS-CX will perform the task silently?)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: