Guest

Preview Tool

Cisco Bug: CSCvt65478 - 2960-XR: DACL not getting removed from hardware ACL table

Last Modified

May 19, 2020

Products (1)

  • Cisco Catalyst 2960-XR Series Switches

Known Affected Releases

15.2(7)E

Description (partial)

Symptom:
DACL is getting removed from software port configuration, but not from hardware ACL table, so the port silently blocks/allows the traffic that matches the ACEs from the DACL, even though the DACL is no longer present on the interface.


### Software only shows a PACL configured on the port, but not the DACL:

Lab-C2960XR# sh ip access-lists int gi2/0/5
Extended IP access list DENY-ALL                <<<<< DACL not present in the port, only a PACL
    10 permit udp any eq bootpc any eq bootps
    20 deny ip any any



### However, hardware table still shows both configured, PACL and DACL:

Lab-C2960XR# remote command 2 sh platform acl int gi2/0/5 portlabels detail         
Switch : 2 :
------------
Port based ACL: (asic 1)
----------------------------
  Input Label:  9    Op Select Index: 255
    Interface(s): Gi2/0/5
    Access Group: DENY-ALL, 3 VMRs           <<<<< hardware entry for the PACL
    Mask:
        00008301 00000000 00000000 00000000 00000000 05823AE4
    Value:
        00008201 00000000 00000000 00000000 00000000 00008301               Result: 0x00
    Mask:
        00008300 0000FFFF 00000000 00000000 FFFF0000 00000000
    Value:
        00008100 00000044 00000000 00000000 00430002 00000000               Result: 0x09
    Mask:
        00008000 00000000 00000000 00000000 00000000 00000000
    Value:
        00008000 00000000 00000000 00000000 00000000 00000000               Result: 0x00
    Ip Portal: 0 VMRs
    IP Source Guard: 0 VMRs
    LPIP: 0 VMRs
    AUTH: 39 VMRs                                         <<<<< DACL still configured in hardware, should be 0 VMRs
    Mask:
        00008301 00000000 00000000 00000000 00000000 05823AE4
    Value:
        00008201 00000000 00000000 00000000 00000000 00008301               Result: 0x00
    <snip>

Conditions:
- Issue observed on member switch(es) of the stack
- Full-scale deployments with many auth sessions, especially on the member switch
- The number of ACEs/lines from the DACL pushed by ISE can also play a role 
- Issue persists even after bouncing the affected interface
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.