Cisco Bug: CSCui96441 - IP source guard not updating PACL entry when new DHCP client connected.
Apr 17, 2019
- Cisco Catalyst 6000 Series Switches
Known Affected Releases
Symptom: When a new dhcp client is connected to an interface after removing a working client, the new client gets an IP address but IP source guard blocks the client as there is no new PACL entry for the new client Conditions: Assuming auth successful vlan :101 no-response vlan:201 and port access vlan:301 FM is getting notification from dot1x about vlan change on port in 2 cases a) when vlan moves to successful vlan(i.e. 301 --->101) b)when vlan moves to no-response vlan (i.e 301---->201) no notification for the reverse transition(i.e. 201--->301 or 101---->301). and so ipsg does not always has the correct vlan information. Issue is seen in two cases(two customers have faced the issue): 1st condition: ---------------- if dhcp snooping enable either only on vlan 101 or no-response vlan 201 <Workaround> Apply dhcp snooping on both the vlans(successful and no-response) 2nd condition: --------------------- If the port access vlan is same as any of the auth success vlan or no-response vlan <Workaround> All the vlans (port access vlan, auth success and no-response vlan ) should be different. Common
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases