%ACL_ERRMSG-3-ERROR while using ipv6 traffic-filter with common ACL on WS-C3850-24XS
I'm facing an interesting bug with IPv6 common ACL with WS-C3850-24XS at least from IOS 16.06.x through 16.12.x. With this simple ACLs:
ipv6 access-list allow-icmp
sequence 10 permit icmp any any
sequence 20 permit ipv6 any any
ipv6 access-list deny-icmp
sequence 10 deny icmp any any echo-request
sequence 20 deny icmp any any echo-reply
sequence 30 permit ipv6 any any
The first time I assign them to a VLAN interface, it works as expected:
ipv6 traffic-filter common allow-icmp deny-icmp in
But the second time I do it I get no feedback in terminal it did not work but I get log messages like these:
Aug 14 14:58:52: %ACL_ERRMSG-3-ERROR: Switch 2 R0/0: fed: Input IPv6 L3 ACL deny-icmp configuration could not be applied on Vlan200. Aug 14 14:58:59: %ACL_ERRMSG-3-ERROR: Switch 2 R0/0: fed: Input IPv6 L3 ACL allow-icmp configuration could not be applied on Vlan200.
And it is not applied. The result is that the switch keeps using the last applied ACL although it tells me that it is using the failed one:
# show ipv6 interface vlan 200 | grep In
Inbound common access list allow-icmp
Inbound access list deny-icmp
The interesting part is that it simply works the first time I do it, coming from startup config or manually configured in terminal. It only fails the second time that config is changed. "ipv6 traffic-filter common COMMON_ACL" without the specific ACL or the specific ACL alone "ipv6 traffic-filter SPECIFIC_ACL" both work. IPv4 also works as expected with out without common. The issue is only with IPv6 with common and specific ACL together. I can only reapply it after a reload.
I even opened an support case and the answer was something like "This is not a bug, it is not supported by your device, don't use it"., It is a documented feature, it completes with "?", it works the first time, but support tells me it was not "supposed to be used" even with no docs telling me it does not work.
If this feature should not exist, it should be hidden, it should not work the first time and it should give a specific error telling me it is not supported (as reflexive ACL does).
OverviewCisco SDA Overview:Cisco ACI Overview:How the Integration works:Configuration:Topology:Cisco DNAC to ISE Integration:Cisco ISE to ACI Integration:Verification:Policy Enforcement in ACI Domain:Policy Enforcement in Cisco SD-Access Domain:
The long-awaited Cisco Catalyst 9600 Series switches are now here. As foundational building blocks for the Cisco Digital Network Architecture, Catalyst 9600 Series switches help customers simplify complexity, optimize IT, and reduce operational cost...
Inviting all Network professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network management tools.
Click here to take the 5-minute survey: http://cs.co/9009E28lV
Calling Cisco Customers who manage networks in your companies
We have a quick 5-minute survey for you to complete. Your response will help Cisco improve a product feature that could benefit you.
Click here now: http://cs.co/9002E0kjC
Since the last blog on IOS-XE release, there has been a standard maintenance release which was followed by the recently published Extended Maintenance Release(EMR) and the last release on the 16.x train, IOS-XE 16.12.1. With this being an EMR release, it ...