Guest

Preview Tool

Cisco Bug: CSCvs63040 - DACL sent by the server that is not processed correctly by the switches 4500

Last Modified

Sep 02, 2020

Products (1)

  • Cisco Catalyst 4000 Series Switches

Known Affected Releases

15.2(2.1) 15.2(4.1.1) 3.8(5)

Description (partial)

Symptom:
There is dACL sent by the server that is not processed correctly by the switches 4500. There is an ACE to deny 0.0.0.0 0.255.255.255 and the switch interprets this as "any" blocking all the traffic.
 
C4500-C3F#show ip access xACSACLx-IP-TEST-5d9b8ec7
Extended IP access list xACSACLx-IP-TEST-5d9b8ec7 (per-user)
    9 deny ip any 0.0.0.0 0.255.255.255 <<<<<<<<<<<<<< It shows correct ACE here in ? Show ip access-list *?
 
C4500-C3F#show ip access-lists int tenGigabitEthernet 1/2
     deny ip any any <<<<<<<<<<<<<<<<<<<<<- Incorrect ACE being applied on Interface.
 
We are seeing this issue on latest code 03.11.00.E

Conditions:
ISE server pushing DACL that contains ACE with destination address of 0.0.0.0 and wildcard mask different from 255.255.255.255
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.