Guest

Preview Tool

Cisco Bug: CSCvu53554 - ARP is not generated when object group is on outbound ACL

Last Modified

Jun 23, 2020

Products (1)

  • Cisco Catalyst 4000 Series Switches

Known Affected Releases

15.2(7.1.67)E2

Description (partial)

Symptom:
Unable to ping some IP addresses on end users connected to Cat4k switch due to ARP not resolving
This happens when the end device doesn't send a gratuitous ARP or the device has a secondary IP.

Conditions:
This problem occurs when there is ObjectGroup ACL [OGACL] present in the outbound direction on the interface [SVI] where the end device is connected.
this problem is seen starting from 15.2(6)E2 and later releases

!
interface Vlan33
 ip address 172.20.33.1 255.255.255.0
 ip access-group TAC out
!
object-group network TAC2
 0.0.0.0 128.0.0.0
 128.0.0.0 128.0.0.0
!
ip access-list extended TAC
 permit ip any object-group TAC2
!
If a permit ip any any is present at the end ACL, the issue disappears.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.