Error: Cannot delete/modify ACE While the ACL is bound to an interface

SCOTT No2 · ‎09-28-2022

The tech who implemented our network quit. I'm trying to modify the switch.

We have some Cisco SX550X-12F switches. The tech setup vlans on the coreswitch. the Core switch is using ACE and ACL to allow or prevents vlans from talking to each other.

I'm trying to get 1 specific computer from Vlan3 to remote desktop into vlan4. Based on his instructions, I go to "Access Control -> IPv4-based ACE" I choose my ACL Name (click Go). now I see a list of ACEs.

I click Add, i enter the Source IP address with wildcard mask, then the destination with IP address and wildcard mask. when I click [Apply], i get an error:
"Cannot delete/modify ACE While the ACL is bound to an interface or Class-map."
A quick google search says to look at Access Control -> ACL Binding (Vlan). they are all saying "Default action" is "Deny any". is this where i change the binding? select the Vlan name then do I delete it or change it to Permit?
I looked at Access Control -> ACL Binding (Port) but i'm not sure if htis is the right spot.
Am I going the right way? or is there somewhere else to look?
Or am I in the wrong spot?

Can someone direct me where to look and maybe something for me to read up on how to resolve this? thanks.

paul driver · ‎09-28-2022

Hello
As the console message is stating the acl is tied into an class-map which is then probably assigned to a policy as such it’s not allowing any modification.
Can you share the running configuration of the switch and detail what access-list you are trying to change>

Lastly you may find it much easier from the CLI of the switch when modifying access-lists.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

SCOTT No2 · ‎09-29-2022

Hi Paul. thanks for writing back. I'm a little hesitant to post the running configuration since that's the backbone of our system. I did search through the file: here is where the ACL is set up:

---

ip access-list extended VLAN_SIXTY
permit udp any netbios-ns any netbios-ns ace-priority 5
permit tcp any any 172.16.50.37 0.0.0.0 smtp ace-priority 7
permit udp any any 172.16.50.23 0.0.0.0 domain ace-priority 8
permit ip any 172.16.30.0 0.0.0.255 ace-priority 10
exit

---

In this situation, I want to update the 172.16.50.23 IP address since that computer no longer exists.

Further down I have :

!
interface vlan 60
name PRINTER
ip address 172.16.60.1 255.255.255.0
service-acl input VLAN_SIXTY

is this the interface that that is causing this "bound" error? Any suggestions on resolving it?

Richard Burts · ‎10-03-2022

It does look like this is the interface that is causing the error. If you remove the line "service-acl input VLAN_SIXTY" you should be able to make changes in the access list. After you change the acl then restore that line to the interface. If you try this and still get the error then you should look for something else that references VLAN_SIXTY.

I am not clear what the impact would be on your network when you remove the line from the acl. You might want to make these changes during a maintenance window.

HTH

Rick