Cisco Bug: CSCvi09442 - Cat9400 - Incorrect DACL applied to port

Last Modified

Oct 30, 2019

Products (1)

Cisco Catalyst 9400 Series Switches

Known Affected Releases

16.6.2 Fuji-16.8.1

Description (partial)

Symptom:
On a Cat9400 using MAB, an incorrect DACL may be applied to some previously authenticated interfaces when another interface authenticates and uses a different DACL. The new DACL will be applied to the interfaces instead.

This can cause unexpected loss of connectivity or allow traffic to pass that shouldn't.

Example:
Interface X: Authenticates on phone profile, uses DACL A
Interface Y: Authenticates on default profile, uses DACL B

Assuming interface X is already up and authenticated, when interface Y comes up and authenticates, both interfaces X and Y will have DACL B applied.

Conditions:
1. "show access-session interface <intf> detail" for affected endpoint will still show as "Auth Success" for MAB and correct DACL associated with interface.
2. "show platform software fed active acl iifid <endpoint_iifid>" will show that affected interface is associated with correct DACL and Group GCID.

View Bug Details in Bug Search Tool Login Required

Why Is Login Required?

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

Learn More About Cisco Service Contracts