Cisco Bug: CSCtc71597 - Punt v6 packet with l4_hdr_vld=0 packet to software with global ACL
Jan 28, 2017
- Cisco Catalyst 6000 Series Switches
Known Affected Releases
Symptom: Currently in the EARL7 system, for an IPv6 packet the 96 bytes cover DBUS header (22), ethernet header (14), IPv6 header (40), IPv6 extension headers, and L4 header. That means only 20 bytes (96 - 22 - 14 - 40) are for extension header(s) and L4 header. So even packet with small extension header(s) can use up to 20 bytes that would cause l4_hdr_vld = 0. When that happens, all L4 features cannot be applied and packet would be hardware forwarded based only on L3 forwarding result. Before this bug is fixed, packets with many Extention Headers or long Extension Headers would be only checked against L3 information on the ACL. After this bug is fixed, these packets will be punted to the control point and be checked against the L4 information as well. Conditions: This issue is present from day one but would only cause a threat when an IPv6 access-list is configured on any interface and that access-list contains L4 options. After the bug fix, L4 information can be checked bug configuring the following command: platform ipv6 acl punt extension-header This command is not on by default and must be enabled. Without this command enabled, the behaviour is the same as before this bug fix.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases