In releases previous to ExtremeXOS 11.4, when ACLs were
refreshed, all the ACL entries were removed, and new ACL entries
were created to implement the newly applied policy.
Beginning in release 11.4, the policy manager uses Smart Refresh to
update the ACLs. When a change is detected, only the ACL changes needed to modify the
ACLs are sent to the hardware, and the unchanged entries remain. This behavior avoids
having to blackhole packets because the ACLs have been momentarily cleared. Smart
Refresh works well up for up to 200 changes. If the number of changes exceeds 200, you
will see this message: Policy file has more than 200 new rules. Smart refresh can not be
carried out. Following this message, you will see a prompt based on the current
blackhole configuration. If blackhole is disabled you will see the following
prompt:
Note, the current setting for Access-list Refresh Blackhole is Disabled. WARNING: If a full refresh is performed, it is possible packets that should be denied may be forwarded through the switch during the time the access list is being installed.
Would you like to perform a full refresh?
If blackhole is enabled, you will see the following prompt:
Note, the current setting for Access-list Refresh Blackhole is Enabled.
Would you like to perform a full refresh?

Note
ACL refresh may take additional time if the ACL is applied on multiple VLANs with
several ACL slices already in the filled state. Additionally, in SummitStack, ACL
refresh happens sequentially, such that after successful installation on one node, it
will be applied to other nodes one-by-one, causing a slight delay in refresh
operation.