Guest

Preview Tool

Cisco Bug: CSCui96441 - IP source guard not updating PACL entry when new DHCP client connected.

Last Modified

Apr 17, 2019

Products (1)

  • Cisco Catalyst 6000 Series Switches

Known Affected Releases

12.2(33)SXJ5.1

Description (partial)

Symptom:
When a new dhcp client is connected to an interface after removing a working client, the new client gets an IP address but IP  source guard blocks the client as there is no new PACL entry for the new client

Conditions:
Assuming auth successful vlan :101
no-response vlan:201 and port access vlan:301
FM is getting notification from dot1x about vlan change on port in 2 cases
a) when vlan moves to successful vlan(i.e. 301 --->101)
b)when vlan moves to no-response vlan (i.e 301---->201)
no notification for the reverse transition(i.e. 201--->301 or 101---->301).
and so ipsg does not always has the correct vlan information.

Issue is seen in two cases(two customers have faced the issue):
1st condition:
----------------
if dhcp snooping enable either only on vlan 101 or no-response vlan 201

<Workaround>
Apply dhcp snooping on both the vlans(successful and no-response)

2nd condition:
---------------------
If the port access vlan is same as any of the auth success vlan or no-response vlan

<Workaround>
All the vlans (port access vlan, auth success and no-response vlan ) should be different.

 Common
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.