Wired Intelligent Edge

last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

AOS-CX 10.03+ VLAN Access-List << "NO" confusion

This thread has been viewed 15 times

  • 1.  AOS-CX 10.03+ VLAN Access-List << "NO" confusion

    Posted Oct 02, 2019 08:43 AM

    2 Questions located @ End of POST >>>

     

    Original 8320 CLI snippet sample setup:

    !

    ACCESS-LIST IP MY-VLAN-ACL-100

    10 comment NO test vlan-100

    20 permit any any any count

    exit

    !

    vlan 100

    name TEST-VLAN-100
    description Why NO pulls VLAN entry

    apply ACCESS-LIST IP MY-VLAN-ACL-100 in

    exit

    #

    #

    Original 8320 CLI snippet sample setup using the NO parameter within GLOBAL CONFIGURATION CONTEXT:

    .

    NO ACCESS-LIST IP MY-VLAN-ACL-100

     

    REMOVES >>> ALL of the ACCESS-LIST IP MY-VLAN-ACL-100 ACL/ACEs.

     

    AND the "apply ACCESS-LIST IP MY-VLAN-ACL-100 in" from VLAN 100.

     

    vlan 100

    name TEST-VLAN-100
    description Why NO pulls VLAN entry

    exit

     

    QUESTIONS:

    Is this a feature or a bug?

     

    Is there a work-around so I can recreate the entire ACL-100 without having the VLAN 100 "apply ACCESS-LIST IP MY-VLAN-ACL-100 in" auto-magically DELETED ??

     

    Thanks in advance !!

     

     



  • 2.  RE: AOS-CX 10.03+ VLAN Access-List << "NO" confusion
    Best Answer

    EMPLOYEE
    Posted Oct 02, 2019 08:53 AM

    This is not a bug.

    When you delete an ACL, deletion will remove as well the ACL from the interface or VLAN it is applied to.

    If you need to maintain the ACL on VLAN, then you can modify the ACL instead of deleting and re-creating the ACL.

    Enter the ACL context and remove/insert ACL sequences according to the needed modification.



  • 3.  RE: AOS-CX 10.03+ VLAN Access-List << "NO" confusion

    Posted Oct 02, 2019 09:14 AM

    The ACL interface delete was a BIG surprise to me.  My experience with HPE Provision caused me to assume the ACL "assignment" would be retained for security or purposes.  We were vulnerable for several days.

     

    Thanks again for your quick help !!!

     

    Cheers



  • 4.  RE: AOS-CX 10.03+ VLAN Access-List << "NO" confusion
    Best Answer

    EMPLOYEE
    Posted Oct 02, 2019 09:19 AM

    You can run 

    show access-list commands

    or

    show access-list

    to make sure ACLs are properly in place after modification.

     

    NetEdit brings here a lot of value and help for change validation to highlight before/after the change and avoid such unexpected situation.

    Thanks.



  • 5.  RE: AOS-CX 10.03+ VLAN Access-List << "NO" confusion

    MVP GURU
    Posted Oct 02, 2019 03:04 PM

    an enhance will be to say, it is already use, i cann't remove the ACL :-)

     



  • 6.  RE: AOS-CX 10.03+ VLAN Access-List << "NO" confusion

    MVP GURU
    Posted Oct 02, 2019 03:37 PM
    Throw out a specific warming message with a mandatory user confirmation (to proceed or not) would eventually be of help...but, if the warning approach is the desired one (so following the same line of reasoning), the same approach should be applied to any operation that removing an object will automatically remove any reference of it in any part of the running configuration where that object was used/referenced (question: what happen if I globally remove a VLAN id for which there are interfaces that are member of? will AOS-CX warn me that those interfaces are going to lose that VLAN id or simply AOS-CX will perform the task silently?)