Guest

Preview Tool

Cisco Bug: CSCvt42659 - Possible Regression ISR4K Mgmt Port ACL Breakage or simply Day One Implementation As Designed

Last Modified

Sep 11, 2020

Products (1)

  • Cisco IOS

Known Affected Releases

16.9.3 17.1.1 17.2

Description (partial)

Confidential - Access Issue on Mmgt Port

Symptom:
Topology:  ISR4331/K9 [Gig 0 _ Mgmt port] ------------------------------ [service port] Cat 3850
Test image: IOS-XE 16.9.3  ;  17.1.1
Result:
- Before added "deny  ip 0.0.0.0 0.255.255.255 any", the ping test and SSH session were connecting successfully.
- After added "deny  ip 0.0.0.0 0.255.255.255 any" , the ping test and SSH session were NOT completed correctly.
- I tried to upgrade image with the latest 17.1.1, but the same issue occurs again.
- I tried to delete/insert related ACL and config several times, but unable to fix the issue.
- ISR4331 config:
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address A.B.C.D 255.255.255.0
ip access-group TEST_ACL in
logging event link-status
negotiation auto
!
ip access-list extended TEST_ACL
deny   ip 0.0.0.0 0.255.255.255 any       <<<<<<<<<<<<<<<<<<<<<<<<
permit ip any any
!

Conditions:
ISR4K platform and Polaris kernel
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.