Re: New firmware change for DAI and ACL not blocking

Peter __ · ‎09-12-2021

I still can't work out how to report stuff to Cisco so I'm just going to post here.

SG350-10 10-Port

In 2.5.7.85 ACL is done first then DAL in 2.5.8.12 DAI is done first then ACL

Traffic can now leak under DHCP ports in 2.5.8.12

part of ACL rule

Priority Action Logging Protocol Source IP Address Destination IP Address Source Port Destination Port

5353 Permit Disabled UDP Any Any 255.255.255.255 0.0.0.0 68 67

7000 Deny Disabled UDP Any Any Any Any 68 67

bind to port GE1 Input ACL with DAI

IP Source Guard GE1

DHCP Snooping Trusted Interface GE2

In 2.5.7.85 DHCP would be allowed if its broadcast and renews on a broadcast just fine and blocks unicast traffic, with 2.5.8.12 the Priority rule 7000 no longer blocks unicast traffic with DAI on.

marce1000 · ‎09-12-2021

>...I still can't work out how to report stuff to Cisco so I'm just going to post here.

- FYI : https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Peter __ · ‎09-13-2021

@marce1000 wrote:

>...I still can't work out how to report stuff to Cisco so I'm just going to post here.
- FYI : https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
M.

its grayed out to open a case

marce1000 · ‎09-13-2021

- I can't see that on that page, did you login (too) and or then tried :

https://mycase.cloudapps.cisco.com/start?referring_site=smbcontacts

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Peter __ · ‎09-13-2021

@marce1000 wrote:

- I can't see that on that page, did you login (too) and or then tried :
https://mycase.cloudapps.cisco.com/start?referring_site=smbcontacts
M.

Yes logged in and that link sends my back too

https://mycase.cloudapps.cisco.com/case

maybe I need to make a new login?

marce1000 · ‎09-13-2021

- Note sure , may depend on owning active service contracts.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Peter __ · ‎09-13-2021

can someone else make cases for me the Cisco site will not let me its broken.

marce1000 · ‎09-13-2021

One thing I forgot to mention , you may try one of the phone numbers
according to your region. Then mention your problem and or query your
eligible service status. M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Peter __ · ‎09-18-2021

It seems in order to post a case to Cisco you have to be part of a business which I'm not so any one reading my bug finds by all means open a case for them.

The ACL above was put on the IP Source Guard port for Input ACL but if you put that ACL on the DHCP Snooping port for Output ACL then it drops Priority rule 7000 unicast traffic.