Preview Tool

Cisco Bug: CSCtc71597 - Punt v6 packet with l4_hdr_vld=0 packet to software with global ACL

Last Modified

Aug 06, 2018

Products (1)

  • Cisco Catalyst 6000 Series Switches

Known Affected Releases


Description (partial)

Currently in the EARL7 system, for an IPv6 packet the 96 bytes cover DBUS header (22), ethernet header
(14), IPv6 header (40), IPv6 extension headers, and L4 header. That means only 20 bytes (96 -
22 - 14 - 40) are for extension header(s) and L4 header. So even packet with small extension
header(s) can use up to 20 bytes that would cause l4_hdr_vld = 0. When that happens, all L4
features cannot be applied and packet would be hardware forwarded based only on L3 forwarding

Before this bug is fixed, packets with many Extention Headers or long Extension Headers would be only checked against L3 information on the ACL.

After this bug is fixed, these packets will be punted to the control point and be checked against the L4 information as well. 

This issue is present from day one but would only cause a threat when an IPv6 access-list is
configured on any interface and that access-list contains L4 options.

After the bug fix, L4 information can be checked bug configuring the following command:
platform ipv6 acl punt extension-header
This command is not on by default and must be enabled. Without this command enabled, the behaviour is the same as before this bug fix.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.