Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
1
Replies

%ACL_ERRMSG-3-ERROR while using ipv6 traffic-filter with common ACL on WS-C3850-24XS

luizdeluca
Level 1
Level 1

‎08-14-2019 11:39 AM

Hello,

 

I'm facing an interesting bug with IPv6 common ACL with WS-C3850-24XS at least from IOS 16.06.x through 16.12.x. With this simple ACLs:

 

 

ipv6 access-list allow-icmp
 sequence 10 permit icmp any any
 sequence 20 permit ipv6 any any

ipv6 access-list deny-icmp
 sequence 10 deny icmp any any echo-request
 sequence 20 deny icmp any any echo-reply
 sequence 30 permit ipv6 any any

 

The first time I assign them to a VLAN interface, it works as expected:

 

 

interface Vlan200
   ipv6 traffic-filter common allow-icmp deny-icmp in

 

 

But the second time I do it I get no feedback in terminal it did not work but I get log messages like these:

 

Aug 14 14:58:52: %ACL_ERRMSG-3-ERROR: Switch 2 R0/0: fed: Input IPv6 L3 ACL deny-icmp configuration could not be applied on Vlan200.
Aug 14 14:58:59: %ACL_ERRMSG-3-ERROR: Switch 2 R0/0: fed: Input IPv6 L3 ACL allow-icmp configuration could not be applied on Vlan200.

And it is not applied. The result is that the switch keeps using the last applied ACL although it tells me that it is using the failed one:

 

 

# show ipv6 interface vlan 200 | grep In
 Inbound common access list allow-icmp
 Inbound access list deny-icmp

 

The interesting part is that it simply works the first time I do it, coming from startup config or manually configured in terminal. It only fails the second time that config is changed. "ipv6 traffic-filter common COMMON_ACL" without the specific ACL or the specific ACL alone "ipv6 traffic-filter SPECIFIC_ACL" both work. IPv4 also works as expected with out without common. The issue is only with IPv6 with common and specific ACL together. I can only reapply it after a reload.

 

It does not seems to be low resource problem:

 

 

#show platform hardware fed switch 1 fwd-asic resource tcam utilization 0 | grep Sec | grep Acc
Security Access Control Entries 3072 146

I even opened an support case and the answer was something like "This is not a bug, it is not supported by your device, don't use it"., It is a documented feature, it completes with "?", it works the first time, but support tells me it was not "supposed to be used" even with no docs telling me it does not work.

 

 

If this feature should not exist, it should be hidden, it should not work the first time and it should give a specific error telling me it is not supported (as reflexive ACL does).

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-19-2019 12:52 AM

Hello Luiz,

you are right if the feature is not supported on your platform the CLi parser should not allow you to configure it.

 

This can be considered a lack of customization of the CLI parser for your platform.

 

Hope to help

Giuseppe

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card