04-23-2022 07:23 AM - edited 04-23-2022 07:38 AM
I upgraded a couple of C3560CX's to 15.2(7)E6 recently. Its a routed access switch with three VLANs/SVIs - Data, Voice & Guest. The Guest SVI has an inbound ACL attached that permits DNS, DHCP and a couple of other things to the LAN. There is then a "deny ip any 192.168.0.0 0.0.255.255 log" and then a "permit ip any any". The logic being if its not an 802.1x authenticated corporate device it should drop onto the Guest VLAN that has restricted access to the local LAN, but can get out to the Internet.
It no longer works after I installed 15.2(7)E6 - the Guest devices have full access, apart from to the actual switch - i.e. I can't ping any of the interfaces on the switch, however any IP traffic through the switch works. I am fairly sure this didn't work on the last release (15.2(7)E5). However I haven't downgraded to check yet.
This feels like a fairly fundamental bug in this release? Its a common release for C2960X & C1000 series catalysts.
I don't see this behavior on C3560X's running 15.2(4)E10.
Anyone else seen this?
04-23-2022 08:44 AM
""The logic being if its not an 802.1x authenticated corporate device it should drop onto the Guest VLAN that has restricted access to the local LAN, but can get out to the Internet.""
Are you sure the Guest get Guest VLAN not other VLAN ?
04-23-2022 09:41 AM
don't see this behavior on C3560X's running 15.2(4)E10.
if this working as expected, what is the reason for an upgrade, (the new version may have bugs,) so engage with TAC?
04-23-2022 09:49 AM - edited 04-24-2022 01:16 AM
Different switches. I have some older 3560X & 3750X series running 15.2(4)E10 and it works as expected on these. This 3560CX is newer and runs newer IOS. Just downgraded to 15.2(7)E5 and the behaviour is the same. Not sure how I missed this. These were upgrades from some 3560-8Ps which run 15.0 and these also worked as expected.
The device is definitely getting assigned to the guest vlan.
04-23-2022 10:51 AM
There may be something changes from version to version, sometimes recurring bugs we see, since the upgrade issue, I suggest to TAC is the best person to investigate, it also helps TAC fix in a future release the feature was not working as expected.
04-23-2022 10:57 AM
My opinion there is something missing or misconfig in 802.1x not bug.
04-23-2022 11:31 AM
If I remove all the dot1x stuff and just put the interface as an access port in the guest vlan the behaviour is the same.
I have done a chunk of troubleshooting prior to asking the question in here....
The issue is the ACL attached to the SVI doesn't work.
04-23-2022 04:04 PM - edited 04-23-2022 04:35 PM
Switch# sh platform acl interface vlanX <-guest VLAN
Input Label: 1
Output Label: 0 (default)
then
Switch# sh platform acl label 1 detail
can You share the output of last command,
04-23-2022 03:42 PM
Hello
@andrew.butterworth wrote:
There is then a "deny ip any 192.168.0.0 0.0.255.255 log" and then a "permit ip any any".
The issue is the ACL attached to the SVI doesn't work.
Can you post the config of SVI and ACL please or even the run config of the switch
04-24-2022 12:58 AM - edited 04-24-2022 01:02 AM
cat-3560cx-12-1#sho platform acl interface vlan 310 Input Label: 1 Output Label: 0 (default) Input IPv6 Label: 0 (default) Output IPv6 Label: 0 (default) cat-3560cx-12-1#sho platform acl label 1 detail IPv4/MAC ACL label ------------------ Allocated L4 Ops: dst range 67 68, src gt 1023, dst range 16384 32767, dst range 10000 20000, src range 8008 8009, src range 32768 61000 Input Op Select Index 0: Output Op Select Index 255: Input Features: Interfaces or VLANs: Vl310 Vlan Map: (none) Access Group: Guest, 30 VMRs. Mask: 00008301 00000000 00000000 00000000 00000000 06587D58 Value: 00008201 00000000 00000000 00000000 00000000 00008301 Result: 0x04 Mask: 00008300 00400000 00000000 00000000 00000000 00000000 Value: 00008100 00400000 00000000 00000000 00000002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008100 00000000 0A636300 C0A86414 00350002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008100 00000000 0A636300 C0A86685 00350002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008100 00000000 0A636300 C0A8780E 11940002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008100 00000000 0A636300 C0A8780E 01F40002 00000000 Result: 0x09 Mask: 00008300 FE000000 FFFFFF00 FFFFFFFF 00000000 00000000 Value: 00008000 32000000 0A636300 C0A8780E 00000002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 00000000 FFFF0000 00000000 Value: 00008100 00000000 0A636300 00000000 007B0002 00000000 Result: 0x09 Mask: 00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00010000 0A636300 C0A86423 00500002 00000000 Result: 0x09 Mask: 00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00010000 0A636300 C0A86414 01BB0002 00000000 Result: 0x09 Mask: 00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00010000 0A636300 C0A86685 01BB0002 00000000 Result: 0x09 Mask: 00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00010000 0A636300 C0A86651 01BB0002 00000000 Result: 0x09 Mask: 00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00010000 0A636300 C0A86423 01BB0002 00000000 Result: 0x09 Mask: 00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00010000 0A636300 C0A8964D 238C0002 00000000 Result: 0x09 Mask: 00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00010000 0A636300 C0A8964D 02030002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00000000 0A636300 C0A86615 06980002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00000000 0A636300 C0A86616 06980002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00000000 0A636300 C0A864D2 20FB0002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008100 00000000 0A636300 C0A86612 13C40002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF C0000000 00000000 Value: 00008100 00000000 0A636300 C0A86612 40000002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00000000 0A636300 C0A86426 00500002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00000000 0A636300 C0A866A2 0C380002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00000000 0A636300 C0A866A5 0C380002 00000000 Result: 0x09 Mask: 00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000 Value: 00008200 00000000 0A636300 C0A866A6 0C380002 00000000 Result: 0x09 Mask: 00008300 00100000 FFFFFF00 FFFF0000 00000000 00000000 Value: 00008100 00100000 0A636300 C0A80000 00000002 00000000 Result: 0x09 Mask: 00008300 0000FFFE FFFFFF00 FFFF0000 00000000 00000000 Value: 00008200 00001F48 0A636300 C0A80000 00000002 00000000 Result: 0x09 Mask: 00008300 00200000 FFFFFF00 FFFF0000 00000000 00000000 Value: 00008100 00200000 0A636300 C0A80000 00000002 00000000 Result: 0x09 Mask: 00008044 00000000 FFFFFF00 FFFF0000 00000000 00000000 Value: 00008044 00000000 0A636300 C0A80000 00000000 00000000 Result: 0x05 Mask: 00008044 00000000 FFFFFF00 FFFF0000 00000000 00000000 Value: 00008040 00000000 0A636300 C0A80000 00000000 00000000 Result: 0x07 Mask: 00008000 00000000 00000000 00000000 00000000 00000000 Value: 00008000 00000000 00000000 00000000 00000002 00000000 Result: 0x09 L4Ops: dst range 67 68, src gt 1023, dst range 16384 32767, dst range 10000 20000, src range 8008 8009, src range 32768 61000 Multicast Boundary: (none), 0 VMRs. uRPF : (none), 0 VMRs. MDNS : (none) portlabel 0 Output Features: Interfaces or VLANs: Bridge Group Member: no Vlan Map: (none) Access Group: (none), 0 VMRs. IPv6 ACL label -------------- Input Op Select Index 255: Output Op Select Index 255: Input Features: Interfaces or VLANs: Traffic Filter: (none), 0 VMRs. uRPF ACL: uRPF ACL : (none), 0 VMRs. MDNS V6 : (none) portlabel 0 Output Features: Interfaces or VLANs: Traffic Filter: (none), 0 VMRs. cat-3560cx-12-1# cat-3560cx-12-1#sho run int vl 310 Building configuration... Current configuration : 289 bytes ! interface Vlan310 description Cat-3560cx-12-1-office-Guest ip address 10.99.99.78 255.255.255.240 ip access-group Guest in ip helper-address 192.168.100.25 ip helper-address 192.168.102.25 no ip redirects no ip proxy-arp ip verify unicast reverse-path ip pim sparse-mode end cat-3560cx-12-1#sho access-lists Guest Extended IP access list Guest 10 permit ip any 10.99.99.0 0.0.0.255 20 permit udp any any range bootps bootpc (6 matches) 30 permit udp 10.99.99.0 0.0.0.255 host 192.168.100.20 eq domain (20 matches) 40 permit udp 10.99.99.0 0.0.0.255 host 192.168.102.133 eq domain (20 matches) 50 permit udp 10.99.99.0 0.0.0.255 host 192.168.120.14 eq non500-isakmp 60 permit udp 10.99.99.0 0.0.0.255 host 192.168.120.14 eq isakmp 70 permit esp 10.99.99.0 0.0.0.255 host 192.168.120.14 80 permit ahp 10.99.99.0 0.0.0.255 host 192.168.120.14 90 permit udp 10.99.99.0 0.0.0.255 any eq ntp 100 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.100.35 eq www 110 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.100.20 eq 443 120 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.102.133 eq 443 130 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.102.81 eq 443 140 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.100.35 eq 443 150 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.150.77 eq 9100 160 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.150.77 eq lpd 170 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.21 eq 1688 180 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.22 eq 1688 190 permit tcp 10.99.99.0 0.0.0.255 host 192.168.100.210 eq 8443 200 permit udp 10.99.99.0 0.0.0.255 host 192.168.102.18 eq 5060 210 permit udp 10.99.99.0 0.0.0.255 host 192.168.102.18 range 16384 32767 220 permit tcp 10.99.99.0 0.0.0.255 host 192.168.100.38 eq www 230 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.162 eq 3128 240 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.165 eq 3128 250 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.166 eq 3128 260 permit udp 10.99.99.0 0.0.0.255 192.168.0.0 0.0.255.255 range 10000 20000 270 permit tcp 10.99.99.0 0.0.0.255 range 8008 8009 192.168.0.0 0.0.255.255 280 permit udp 10.99.99.0 0.0.0.255 range 32768 61000 192.168.0.0 0.0.255.255 290 deny ip 10.99.99.0 0.0.0.255 192.168.0.0 0.0.255.255 log 300 permit ip any any (115 matches) cat-3560cx-12-1#
I know the source mask in the ACL doesn't match the subnet of the interface, however it covers it - 10.99.99.0/24 covers 10.99.99.64/28.
04-24-2022 08:35 AM
Hi there is some bug with guest VLAN, but it not for this IOS ver.
But let try one think,
I think that you config guest VLAN as aaa authentication failed or critical can you remove this line and test by connect client to VLAN access port.
04-24-2022 02:03 PM
Yes, I did a simple port config with just 'switchport access vlan 310' and the behaviour is the same. Its the ACL on the SVI that isn't working as expected.
I'm fairly sure this is a bug and its been there a while. The older C3560X switch I have works as expected with the same config (different SVI IPv4 address - 10.99.99.0/27, however the same ingress ACL) . The output to the 'show platform acl label x detail' on the C3560X running 15.2(4)E10 looks the same as the C3560CX.
I don't have support on either of these C3560CX's so TAC isn't an option unfortunately.
04-25-2022 01:59 AM
OK. So playing around with this a bit more and it looks like the dot1x configuration is somehow interfering.
I am sure I did this last week and it worked as I described, however that could have been with the 15.2(7)E6 and I've since downgraded this switch to 15.2(7)E5.
If I just put the access port into the Guest VLAN and remove all the dot1x configuration it works as expected and the traffic is denied by the ACL attached to the SVI. If I apply the dot1x config and stop the supplicant on the PC so it fails authentication and gets assigned to the Guest VLAN the traffic bypasses the ACL.
This is an IBNS 1.0 configuration. The interface configuration and the output to some of the dot1x stuff is attached below.
interface GigabitEthernet1/0/3 description docking-station switchport access vlan 300 switchport mode access switchport nonegotiate switchport voice vlan 305 switchport port-security maximum 3 switchport port-security maximum 2 vlan access switchport port-security maximum 1 vlan voice switchport port-security violation restrict switchport port-security aging time 3 switchport port-security aging type inactivity switchport port-security no logging event link-status srr-queue bandwidth share 1 70 25 5 srr-queue bandwidth shape 3 0 0 0 priority-queue out ipv6 nd raguard attach-policy host-policy ipv6 snooping attach-policy policy1 ipv6 dhcp guard authentication event fail retry 1 action authorize vlan 310 authentication event server dead action authorize vlan 310 authentication event no-response action authorize vlan 310 authentication event server alive action reinitialize authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation replace mab no snmp trap link-status dot1x pae authenticator spanning-tree portfast edge service-policy input IPPHONE+PC-BASIC ip verify source smartlog ip verify source ip dhcp snooping limit rate 100 ! cat-3560cx-12-1#sho authentication sessions interface gigabitEthernet 1/0/3 details Interface: GigabitEthernet1/0/3 MAC Address: e8d8.d1ee.dd76 IPv6 Address: Unknown IPv4 Address: 10.99.99.72 User-Name: e8d8d1eedd76 Device-type: Microsoft-Workstation Status: Authorized Domain: UNKNOWN Oper host mode: single-host Oper control dir: both Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: N/A Session Uptime: 312s Common Session ID: C0A8FFF80000002008F4AF72 Acct Session ID: 0x00000013 Handle: 0xB400000D Current Policy: POLICY_Gi1/0/3 Local Policies: Service Template: GUEST_VLAN_Gi1/0/3 (priority 150) Vlan Group: Vlan: 310 Method status list: Method State dot1x Stopped mab Stopped cat-3560cx-12-1#sho service-template GUEST_VLAN_Gi1/0/3 Name : GUEST_VLAN_Gi1/0/3 Description : NONE VLAN : 310 URL_Redirect URL : NONE URL-Redirect Match ACL : NONE Idle timeout : NONE Absolute-Timer : NONE Linksec Policy : NONE Input Qos Policy : NONE Output Qos Policy : NONE SGT Value : NONE cat-3560cx-12-1#sho policy-map type control subscriber POLICY_Gi1/0/3 POLICY_Gi1/0/3 event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 1 retry-time 0 priority 10 event authentication-failure match-first 5 class DOT1X_FAILED do-until-failure 10 activate service-template AUTH_FAIL_VLAN_Gi1/0/3 20 authorize 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template CRITICAL_AUTH_VLAN_Gi1/0/3 20 authorize 30 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class DOT1X_TIMEOUT do-until-failure 10 terminate dot1x 20 activate service-template GUEST_SUPP_VLAN_Gi1/0/3 30 authorize 40 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 50 class MAB_FAILED do-until-failure 10 terminate mab 20 activate service-template GUEST_VLAN_Gi1/0/3 30 authorize 70 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 authentication-restart 60 event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x retries 1 retry-time 0 priority 10 event aaa-available match-all 10 class IN_CRITICAL_VLAN do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_VLAN do-until-failure 10 resume reauthentication event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE event violation match-all 10 class always do-until-failure 10 replace cat-3560cx-12-1#
04-25-2022 05:16 AM
OK. So I've got a workaround, however I still think this is a bug and I shouldn't need to apply this workaround.
If I apply the Guest ACL directly to the L2 switchport (regardless of whether its attached to the SVI) the logic works as long as the RADIUS server sends an ACL as a Cisco AV-pair as this will take precedence over the interface ACL (currently ip:inacl#10=permit ip any any). Users that drop onto the guest VLAN (failed or no supplication) hit the interface ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide