Symptom
Egress IPv4/IPv6 ACL is not supported on sub-interfaces in 6.3.2.
Conditions
Egress IPv4/IPv6 ACL is not supported on sub-interfaces in releases prior to 6.3.3. Prior to 6.3.3:
- egress IPv4 ACL would be applied to the main interface that contains sub-interfaces, which works
- egress IPv6 ACL would be applied to the main interface that contains sub-interfaces, which works unless HQoS is enabled. If HQoS is enabled, then the traffic would not be treated by the egress IPv6 ACL.
To address the issue with egress IPv6 ACL with HQoS being enabled, a change is being introduced to allow the egress (IPv4/Ipv6) ACL to be attached to the sub-interface rather than to the main interface.
Workaround
For egress IPv4 ACL in releases prior to 6.3.3, it is acceptable to attach the ACL to the main interface; with or without HQoS enabled.
For egress IPv6 ACL in release 6.3.2 (first release that egress IPv6 ACL is supported) without HQoS enabled, it is acceptable to attach the ACL to the main interface. However if HQoS is enabled, then (in 6.3.2) egress IPv6 ACL does not affect the traffic when the ACL is attached to the main interface. The only workaround is to use Ingress IPv6 ACL instead of egress IPv6 ACL (or move to 6.3.3 and attach the egress IPv6 ACL to the sub-interface).
Further Problem Description
In order to have IPv4 and IPv6 egress ACL attachment consistent when HQoS is enabled, with this change, the attachment point will be the sub-interface for either IPv4 and IPv6.
