Guest

Preview Tool

Cisco Bug: CSCtb65503 - IPv6 ACL: L4 info may be ignored in ACEs in hw match

Last Modified

Jan 17, 2017

Products (11)

  • Cisco Carrier Routing System
  • Cisco CRS-1 Line Card Chassis (Dual)
  • Cisco CRS-1 Line Card Chassis (Multi)
  • Cisco CRS-1 16-Slot Line Card Chassis
  • Cisco CRS-1 4-Slot Single-Shelf System
  • Cisco IOS XR Software
  • Cisco CRS-1 8-Slot Line Card Chassis
  • Cisco CRS-1 Fabric Card Chassis
  • Cisco CRS-1 8-Slot Single-Shelf System
  • Cisco CRS-1 Multishelf System
View all products in Bug Search Tool Login Required

Known Affected Releases

3.8.1.BASE

Description (partial)

Symptom:

If an IPv6 ACL with ACEs containing L4 operands is configured and applied on an interface, L4 information in the ACL may be ignored resulting in
incorrect operation of the ACL

Conditions:

If an IPv6 ACL with L4 operands is configured on an interface, traffic passing across the interface which is supposed to be filtered by a
corresponding ACE might incorrectly be pass or traffic intended to pass the ACL might be dropped incorrectly.

Example (1):

The IPv6 ACL contains a L4 ACE which filters tcp src port 21.

90 deny tcp host 2000:1000:50:0:0:0:0:9 eq 21 host 2000:1000:51:0:0:0:0:9

If traffic is send with src port 110 to the IPv6 src/dst address pair
2000:1000:50:0:0:0:0:9/2000:1000:51:0:0:0:0:9 it MAY be blocked by ACE 90 because the TCP src port is masked out and erroneously ignored.

Example (2):

40 permit icmp host 2000:1000:60:0:0:0:0:6 host 2000:1000:51:0:0:0:0:3

Because the L4 information is ignored, all traffic matching the src/dst address pair will pass this ACL.

The problem can be observed on IPv6 ACLs with ACEs containing L4 keywords like tcp,udp, icmp etc.

Examples:
30 deny tcp host 2000:1000:50:0:0:0:0:3 eq 3 host 2000:1000:51:0:0:0:0:3 
40 permit icmp host 2000:1000:60:0:0:0:0:6 host 2000:1000:51:0:0:0:0:3
50 permit udp host 2000:1000:50:0:0:0:0:3 eq 43 host 2000:1000:51:0:0:0:0:3

The problem is independent of the number of ACEs because the issue is due to the ACL compression algorithm that applied. If L4 information is
configured in the ACE, it MAY get masked during the packet lookup operation as a result of certain bit positions being filled in the source address.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.