Preview Tool

Cisco Bug: CSCuo90184 - NXOS/OTV: ARP ACL Applies to all VLAN without Arp inspection Filter

Last Modified

Nov 27, 2020

Products (7)

  • CiscoPro Workgroup EtherSwitch Software
  • Cisco Nexus 7000 10-Slot Switch
  • Cisco Nexus 7000 4-Slot Switch
  • Cisco Nexus 7700 18-Slot Switch
  • Cisco Nexus 7000 18-Slot Switch
  • Cisco Nexus 7700 10-Slot Switch
  • Cisco Nexus 7000 9-Slot Switch

Known Affected Releases

6.2(2a) 6.2(8)S8 6.2(8)S9

Description (partial)

ARP packets will not processed and all ARP packets will be dropped due to block ACL due to the following ARP access-list,

N7k-TEST(config)# arp access-list OTV-BLOCK-HSRP-ARP
N7k-TEST(config-arp-acl)#   10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00 
N7k-TEST(config-arp-acl)#   20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000 
N7k-TEST(config-arp-acl)#   30 permit ip any mac any

without calling the arp inspection filter(ip arp inspection filter OTV-BLOCK-HSRP-ARP vlan), the ARP access-list will be applied to all vlans and block ARP.

The issue is seen after the ip arp inspection filter command is applied twice on the same vlan and then if we try to remove the config.
ip arp inspection filter OTV-BLOCK-HSRP-ARP vlan 1-10
ip arp inspection filter OTV-BLOCK-HSRP-ARP vlan 1-10
no ip arp inspection filter OTV-BLOCK-HSRP-ARP vlan 1-10
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.