Guest

Preview Tool

Cisco Bug: CSCvi09442 - Cat9400 - Incorrect DACL applied to port

Last Modified

Oct 30, 2019

Products (1)

  • Cisco Catalyst 9400 Series Switches

Known Affected Releases

16.6.2 Fuji-16.8.1

Description (partial)

Symptom:
On a Cat9400 using MAB, an incorrect DACL may be applied to some previously authenticated interfaces when another interface authenticates and uses a different DACL. The new DACL will be applied to the interfaces instead.

This can cause unexpected loss of connectivity or allow traffic to pass that shouldn't.

Example:
Interface X: Authenticates on phone profile, uses DACL A
Interface Y: Authenticates on default profile, uses DACL B

Assuming interface X is already up and authenticated, when interface Y comes up and authenticates, both interfaces X and Y will have DACL B applied.

Conditions:
1. "show access-session interface <intf> detail" for affected endpoint will still show as "Auth Success" for MAB and correct DACL associated with interface.
2. "show platform software fed active acl iifid <endpoint_iifid>" will show that affected interface is associated with correct DACL and Group GCID.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.