cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1199
Views
5
Helpful
7
Replies

Nexus 9K ACL access-group

mtmharison
Level 1
Level 1

Dear All,

We use N9K switch and we can create ACL but we cannot apply them in an SVI (interface VLAN) anymore.

We can run the command without any error but the configuration is not applied.

Thanks

Regards,

HM

7 Replies 7

what you meaning not apply ? meaning the ACL not work ?

when I do 

interface vlan XXX

access-group ACL-NAME

The config is not written in the running-config

 

 

 

feature interface-vlan <<- are you enable intefafce-vlan globally ??

interface-vlan is enabled

I can configure interface vlan but I cannot add access-group inside it

Christopher Hart
Cisco Employee
Cisco Employee

Hello!

What model of Nexus 9000 switch are you working with in this scenario, and what NX-OS software release is the switch running?

Thank you!

-Christopher

i work with C93180YC-FX and NXOS: version 9.2(2)

Hello!

This behavior is most likely the result of a software defect. If possible, I would highly recommend opening up a Cisco TAC service request so that Cisco TAC can investigate this issue further for you. They will most likely need to gather more details about the full configuration of the device, recent upgrades and upgrade methods (disruptive vs. ISSU, etc.) - a show tech-support details  and show tech-support dme gathered from relevant switches encountering this issue will be helpful. A show tech-support details and show tech-support dme from one or two switches that are not experiencing this issue may also be helpful.

To summarize, this is most likely due to a synchronization error between the switch's ASCII running-config (which is the plaintext configuration displayed when you execute the show running-config command) and the switch's underlying DME (Data Management Engine) database. DME is essentially a data structure that represents the configuration and operational status of multiple NX-OS software components for MDP (Model-Driven Programmability) purposes. This data structure can be modified through the CLI when you make configuration changes like normal, or it can be fetched or modified using NX-API, or you can stream the values of specific keys in the data structure through telemetry.

A visual example of how DME “sits” in between each software component’s object store (PSS - Persistent Storage System), the CLI, and other various configuration methods is shown in the excerpt below from Mike Wiebe’s BRKDCN-2025 2020 Cisco Live session.

ChristopherHart_0-1674657448033.png

On Nexus 9000 series switches, there are a handful of software defects where configuration changes to the switch (such as your scenario, where you're applying an ACL to an interface) are not reflected in the output of show running-config. This can happen when parts of the object model in DME are "missing" when compare to the switch's running configuration (or vice versa). The workaround for the overwhelming majority of these bugs is to reload the switch using the hidden reload ascii command (as opposed to the normal reload command), which rebuilds the DME data structure from scratch using an ASCII version of the switch's startup-config (among a few other things).

Just to reiterate, I highly recommend opening up a service request with Cisco TAC so that Cisco can investigate this issue further and nail down this issue to a specific software defect.

I hope this helps - thank you!

-Christopher

Review Cisco Networking for a $25 gift card