When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a statement), the information in the policy database does not change until the policy is refreshed. The user must refresh the policy so that the latest copy of policy is used. When the policy is refreshed, the new policy file is read, processed, and stored in the server database.
Any clients that use the policy are updated.
To refresh the policy, enter the command:
refresh policy policy_nameFor ACL policies only, during the time that an ACL policy is refreshed, packets on the interface are blackholed, by default. This is to protect the switch during the short time that the policy is being applied to the hardware. It is conceivable that an unwanted packet could be forwarded by the switch as the new ACL is being set up in the hardware. You can disable this behavior.
NotePerforming a refresh on multiple ports requires the original and modified policy to coexist at the same time in the intermittent state. If this is not possible due to slice limitations, the refresh will fail with "ACL slice full" error.
To control the behavior of the switch during an ACL
refresh, enter the commands:
enable access-list refresh blackholedisable access-list refresh blackhole
In releases previous to ExtremeXOS 11.4, when ACLs were refreshed, all the ACL entries were removed, and new ACL entries were created to implement the newly applied policy.
Beginning in release 11.4, the policy manager uses Smart Refresh to update the ACLs. When a change is detected, only the ACL changes needed to modify the ACLs are sent to the hardware, and the unchanged entries remain. This behavior avoids having to blackhole packets because the ACLs have been momentarily cleared. Smart Refresh works well up for up to 200 changes. If the number of changes exceeds 200, you will see this message: Policy file has more than 200 new rules. Smart refresh can not be carried out. Following this message, you will see a prompt based on the current blackhole configuration. If blackhole is disabled you will see the following prompt:
Note, the current setting for Access-list Refresh Blackhole is Disabled. WARNING: If a full refresh is performed, it is possible packets that should be denied may be forwarded through the switch during the time the access list is being installed. Would you like to perform a full refresh?
If blackhole is enabled, you will see the following prompt:
Note, the current setting for Access-list Refresh Blackhole is Enabled. Would you like to perform a full refresh?
ACL refresh may take additional time if the ACL is applied on multiple VLANs with several ACL slices already in the filled state. Additionally, in SummitStack, ACL refresh happens sequentially, such that after successful installation on one node, it will be applied to other nodes one-by-one, causing a slight delay in refresh operation.
To take advantage of Smart Refresh, disable access-list refresh blackholing.