cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2605
Views
0
Helpful
8
Replies

New firmware change for DAI and ACL not blocking

Peter __
Level 1
Level 1

I still can't work out how to report stuff to Cisco so I'm just going to post here.

 

SG350-10 10-Port

 

In 2.5.7.85 ACL is done first then DAL in 2.5.8.12 DAI is done first then ACL

 

Traffic can now leak under DHCP ports in 2.5.8.12

 

part of ACL rule

Priority    Action   Logging     Protocol     Source IP Address    Destination IP Address   Source Port    Destination Port 

5353       Permit  Disabled     UDP           Any Any                  255.255.255.255   0.0.0.0    68                      67

7000       Deny    Disabled     UDP           Any Any                   Any                       Any         68                      67

 

bind to port GE1 Input ACL with DAI

IP Source Guard GE1

DHCP Snooping Trusted Interface GE2

 

In 2.5.7.85 DHCP would be allowed if its broadcast and renews on a broadcast just fine and blocks unicast traffic, with 2.5.8.12 the Priority rule 7000 no longer blocks unicast traffic with DAI on.

8 Replies 8

marce1000
VIP
VIP

 

                 >...I still can't work out how to report stuff to Cisco so I'm just going to post here.

   - FYIhttps://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !


@marce1000 wrote:

 

                 >...I still can't work out how to report stuff to Cisco so I'm just going to post here.

   - FYIhttps://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

 M.


its grayed out to open a case

cisco case.png

 

 - I can't see that on that page, did you login (too) and or then tried :

                   https://mycase.cloudapps.cisco.com/start?referring_site=smbcontacts

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !


@marce1000 wrote:

 

 - I can't see that on that page, did you login (too) and or then tried :

                   https://mycase.cloudapps.cisco.com/start?referring_site=smbcontacts

 M.


Yes logged in and that link sends my back too

https://mycase.cloudapps.cisco.com/case 

 

maybe I need to make a new login?

 

 

   - Note sure , may depend on owning active service contracts.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Peter __
Level 1
Level 1

can someone else make cases for me the Cisco site will not let me its broken.

 

 

One thing I forgot to mention , you may try one of the phone numbers
according to your region. Then mention your problem and or query your
eligible service status. M.


-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Peter __
Level 1
Level 1

It seems in order to post a case to Cisco you have to be part of a business which I'm not so any one reading my bug finds by all means open a case for them.

 

The ACL above was put on the IP Source Guard port for Input ACL but if you put that ACL on the DHCP Snooping port for Output ACL then it drops Priority rule 7000 unicast traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X