Refreshing Policies

When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a statement), the information in the policy database does not change until the policy is refreshed. The user must refresh the policy so that the latest copy of policy is used. When the policy is refreshed, the new policy file is read, processed, and stored in the server database.

Any clients that use the policy are updated.

To refresh the policy, enter the command:
refresh policy policy_name

For ACL policies only, during the time that an ACL policy is refreshed, packets on the interface are blackholed, by default. This is to protect the switch during the short time that the policy is being applied to the hardware. It is conceivable that an unwanted packet could be forwarded by the switch as the new ACL is being set up in the hardware. You can disable this behavior.
Note
Performing a refresh on multiple ports requires the original and modified policy to coexist at the same time in the intermittent state. If this is not possible due to slice limitations, the refresh will fail with "ACL slice full" error.
To control the behavior of the switch during an ACL refresh, enter the commands:
enable access-list refresh blackhole

disable access-list refresh blackhole
In releases previous to ExtremeXOS 11.4, when ACLs were refreshed, all the ACL entries were removed, and new ACL entries were created to implement the newly applied policy.

Beginning in release 11.4, the policy manager uses Smart Refresh to update the ACLs. When a change is detected, only the ACL changes needed to modify the ACLs are sent to the hardware, and the unchanged entries remain. This behavior avoids having to blackhole packets because the ACLs have been momentarily cleared. Smart Refresh works well up for up to 200 changes. If the number of changes exceeds 200, you will see this message: Policy file has more than 200 new rules. Smart refresh can not be carried out. Following this message, you will see a prompt based on the current blackhole configuration. If blackhole is disabled you will see the following prompt:
```
Note, the current setting for Access-list Refresh Blackhole is Disabled. WARNING: If a full refresh is performed, it is possible packets that should be denied may be forwarded through the switch during the time the access list is being installed.
Would you like to perform a full refresh?
```
If blackhole is enabled, you will see the following prompt:
```
Note, the current setting for Access-list Refresh Blackhole is Enabled.
Would you like to perform a full refresh?
```

To take advantage of Smart Refresh, disable access-list refresh blackholing.

Note

Smart refresh is not performed for policies if the number of entries in the policy change during refresh.

Published August 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback

Extreme Networks

Smart OmniEdge

Automated Campus

Agile Data Center

Cloud Service Provider

Network Service Provider

K-12/Secondary Education

Higher Education

Retail

Healthcare

Federal Government

Hospitality

Sports & Public Venues

Manufacturing

Professional Services

Premier Services

ExtremeWorks Maintenance Services

WING Managed Services

Training

Extreme Enterprise Campus Agreement

Contact Support

Training & Courses

Knowledge Base

Documentation

Customer-Driven Networking

Networking Made Simple, Easy, and Affordable - Q&A with the Senior Director of Extreme Capital Solutions

Refreshing Policies