cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
346
Views
3
Helpful
9
Replies

Can't remove ACL from Interface

ethantaylor
Level 1
Level 1

Good morning. I am going through our switches to clean up old configuration and when I try to remove an ACL from an interface, I keep getting the error "ERROR: Requested acl name in delete do not match the configured value" even though the ACL name matches what is configured. The switch is a Nexus 9504. I usually triple-click on the line I want to remove, type no, then right-click to paste the copied line. Any ideas why this is occurring? Here's the output from sh ru int for the interface that I'm trying to remove it from and the error I'm getting:

interface Ethernet1/20
ip access-group VLAN_10 out

Switch(config-if)# no ip access-group VLAN_10 out
ERROR: Requested acl name in delete do not match the configured value

1 Accepted Solution

Accepted Solutions

Good morning,

I apologize for the delayed response. I manually typed the command and I still received the error. But, I decided to try to add the access-group again and then remove it and it allowed me to do it this time. For some reason, I received an error when adding then removing the access group before, but it allowed me to remove it after trying these troubleshooting steps that you all have suggested. I could have been from shutting down the port. Who knows. I appreciate all of the assistance.

View solution in original post

9 Replies 9

Try shut down port and then delete it

MHM

Thank you for your suggestion. I have tried that and the port won't shutdown even though I have full control on the switch. My account is setup with role priv-15 and role network-admin.

Switch(config-if)# int e1/20
Switch(config-if)# shutdown
Switch(config-if)# do sh ru int e1/20

!Command: show running-config interface Ethernet1/20
!Running configuration last done at: Tue Aug 5 11:22:33 2025
!Time: Tue Aug 5 11:22:36 2025

version 9.3(13) Bios:version 08.39

interface Ethernet1/20
ip access-group VLAN_10 out

Switch(config-if)# no ip access-group VLAN_10 out
ERROR: Requested acl name in delete do not match the configured value

Switch(config-if)# no ip access-group VLAN_10 out<space>|

If yoh use select paste

Press one time back (keyboard) let space remove abd check

Maybe it easy key issue

MHM

You present this as the output of show run:

interface Ethernet1/20
ip access-group VLAN_10 out

I am guessing that there was more content, which you omitted. I am not sure what it might have been, or how significant, but please post the complete output of the show command.

Following up on the suggestion from MHM, perhaps rather than using cut and paste you should just type the entire command you want to enter. 

HTH

Rick

Good morning,

I apologize for the delayed response. I manually typed the command and I still received the error. But, I decided to try to add the access-group again and then remove it and it allowed me to do it this time. For some reason, I received an error when adding then removing the access group before, but it allowed me to remove it after trying these troubleshooting steps that you all have suggested. I could have been from shutting down the port. Who knows. I appreciate all of the assistance.

marce1000
Hall of Fame
Hall of Fame

 

 

  - @ethantaylor    Try         default interface Ethernet1/20

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

@ethantaylor 

I think there are hidden characters (like carriage returns, spaces, tabs) that are included when pasting the command, try to manually type the command.
Also you can reapply with a different ACL - then remove.


ip access-list DUMMY_ACL
permit ip any any

#Switch(config-if)# ip access-group DUMMY_ACL out
#Switch(config-if)# no ip access-group DUMMY_ACL out

Thanks !

Peter Paluch
Cisco Employee
Cisco Employee

Ethan,

In addition to other friends' suggestions here, I have a few questions / comments.

First, is this port a switchport (access, trunk) or a routed port? On NX-OS platforms, for routed ports, the ip access-list ... syntax is correct (RACLs), but for switchports, the correct syntax would be ip port access-list ... (PACLs). The outputs you have shared are limited so I am unable to tell. I know that the switch would normally not accept a RACL on a switched port but since we are already looking at an abnormal behavior, I would to be sure if this is not another clue.

Second, can you check the outputs of the following commands if the ACL name shows there the same way it shows in the running config?

  • show access-list VLAN_10 summary - the output should mention that the VLAN_10 ACL is configured and active on Ethernet1/20 in egress direction as a Router ACL
  • show ip interface e1/20 - the output should mention the VLAN_10 ACL in the line "IP outbound access list" line
  • show system internal access-list interface e1/20 - the output should mention the VLAN_10 ACL as the RACL among egress policies
  • show system internal aclmgr access-lists policies e1/20 - the output should refer to the VLAN_10 ACL in the two policies displayed for the interface (the output is rather cryptic - you need to look carefully)

The purpose of this exercise is to verify that all these outputs consistently associate the VLAN_10 ACL as an egress RACL with the e1/20 interface. Any discrepancy would mean that the configuration and the internal NX-OS state are not consistent with each other which alone would be an incorrect behavior.

Third, when you entered the shutdown command, the port stayed up according to the running-config. If you verified its state using show interface e1/20 status, would it be reported as up/connected even in that output? If so, we are looking at a larger problem with the state of the switch as it appears unable to process entered configuration commands on a port properly.

Best regards,
Peter

julian.bendix
Level 7
Level 7

Which software version are you running?