Preview Tool

Cisco Bug: CSCui96441 - IP source guard not updating PACL entry when new DHCP client connected.

Last Modified

Apr 17, 2019

Products (1)

  • Cisco Catalyst 6000 Series Switches

Known Affected Releases


Description (partial)

When a new dhcp client is connected to an interface after removing a working client, the new client gets an IP address but IP  source guard blocks the client as there is no new PACL entry for the new client

Assuming auth successful vlan :101
no-response vlan:201 and port access vlan:301
FM is getting notification from dot1x about vlan change on port in 2 cases
a) when vlan moves to successful vlan(i.e. 301 --->101)
b)when vlan moves to no-response vlan (i.e 301---->201)
no notification for the reverse transition(i.e. 201--->301 or 101---->301).
and so ipsg does not always has the correct vlan information.

Issue is seen in two cases(two customers have faced the issue):
1st condition:
if dhcp snooping enable either only on vlan 101 or no-response vlan 201

Apply dhcp snooping on both the vlans(successful and no-response)

2nd condition:
If the port access vlan is same as any of the auth success vlan or no-response vlan

All the vlans (port access vlan, auth success and no-response vlan ) should be different.

Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.