C3560CX IOS 15.2(7)E6 inbound ACL attached to SVI not working?

andrew.butterworth · ‎04-23-2022

I upgraded a couple of C3560CX's to 15.2(7)E6 recently. Its a routed access switch with three VLANs/SVIs - Data, Voice & Guest. The Guest SVI has an inbound ACL attached that permits DNS, DHCP and a couple of other things to the LAN. There is then a "deny ip any 192.168.0.0 0.0.255.255 log" and then a "permit ip any any". The logic being if its not an 802.1x authenticated corporate device it should drop onto the Guest VLAN that has restricted access to the local LAN, but can get out to the Internet.

It no longer works after I installed 15.2(7)E6 - the Guest devices have full access, apart from to the actual switch - i.e. I can't ping any of the interfaces on the switch, however any IP traffic through the switch works. I am fairly sure this didn't work on the last release (15.2(7)E5). However I haven't downgraded to check yet.

This feels like a fairly fundamental bug in this release? Its a common release for C2960X & C1000 series catalysts.

I don't see this behavior on C3560X's running 15.2(4)E10.

Anyone else seen this?

MHM Cisco World · ‎04-23-2022

""The logic being if its not an 802.1x authenticated corporate device it should drop onto the Guest VLAN that has restricted access to the local LAN, but can get out to the Internet.""

Are you sure the Guest get Guest VLAN not other VLAN ?

balaji.bandi · ‎04-23-2022

 don't see this behavior on C3560X's running 15.2(4)E10.

if this working as expected, what is the reason for an upgrade, (the new version may have bugs,) so engage with TAC?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

andrew.butterworth · ‎04-23-2022

Different switches. I have some older 3560X & 3750X series running 15.2(4)E10 and it works as expected on these. This 3560CX is newer and runs newer IOS. Just downgraded to 15.2(7)E5 and the behaviour is the same. Not sure how I missed this. These were upgrades from some 3560-8Ps which run 15.0 and these also worked as expected.

The device is definitely getting assigned to the guest vlan.

balaji.bandi · ‎04-23-2022

There may be something changes from version to version, sometimes recurring bugs we see, since the upgrade issue, I suggest to TAC is the best person to investigate, it also helps TAC fix in a future release the feature was not working as expected.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎04-23-2022

My opinion there is something missing or misconfig in 802.1x not bug.

andrew.butterworth · ‎04-23-2022

If I remove all the dot1x stuff and just put the interface as an access port in the guest vlan the behaviour is the same.

I have done a chunk of troubleshooting prior to asking the question in here....

The issue is the ACL attached to the SVI doesn't work.

MHM Cisco World · ‎04-23-2022

Switch# sh platform acl interface vlanX <-guest VLAN

Input Label: 1

Output Label: 0 (default)

then

Switch# sh platform acl label 1 detail

can You share the output of last command,

paul driver · ‎04-23-2022

Hello

@andrew.butterworth wrote:

There is then a "deny ip any 192.168.0.0 0.0.255.255 log" and then a "permit ip any any".

The issue is the ACL attached to the SVI doesn't work.

Can you post the config of SVI and ACL please or even the run config of the switch

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

andrew.butterworth · ‎04-24-2022

cat-3560cx-12-1#sho platform acl interface vlan 310
Input Label: 1
Output Label: 0 (default)
Input IPv6 Label: 0 (default)
Output IPv6 Label: 0 (default)

cat-3560cx-12-1#sho platform acl label 1 detail

IPv4/MAC ACL label
------------------

Allocated L4 Ops: dst range 67 68, src gt 1023, dst range 16384 32767,
         dst range 10000 20000, src range 8008 8009, src range 32768 61000
Input Op Select Index 0:
Output Op Select Index 255:
Input Features:
  Interfaces or VLANs:  Vl310
  Vlan Map: (none)
  Access Group: Guest, 30 VMRs.
    Mask:
        00008301 00000000 00000000 00000000 00000000 06587D58
    Value:
        00008201 00000000 00000000 00000000 00000000 00008301               Result: 0x04
    Mask:
        00008300 00400000 00000000 00000000 00000000 00000000
    Value:
        00008100 00400000 00000000 00000000 00000002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008100 00000000 0A636300 C0A86414 00350002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008100 00000000 0A636300 C0A86685 00350002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008100 00000000 0A636300 C0A8780E 11940002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008100 00000000 0A636300 C0A8780E 01F40002 00000000               Result: 0x09
    Mask:
        00008300 FE000000 FFFFFF00 FFFFFFFF 00000000 00000000
    Value:
        00008000 32000000 0A636300 C0A8780E 00000002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 00000000 FFFF0000 00000000
    Value:
        00008100 00000000 0A636300 00000000 007B0002 00000000               Result: 0x09
    Mask:
        00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00010000 0A636300 C0A86423 00500002 00000000               Result: 0x09
    Mask:
        00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00010000 0A636300 C0A86414 01BB0002 00000000               Result: 0x09
    Mask:
        00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00010000 0A636300 C0A86685 01BB0002 00000000               Result: 0x09
    Mask:
        00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00010000 0A636300 C0A86651 01BB0002 00000000               Result: 0x09
    Mask:
        00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00010000 0A636300 C0A86423 01BB0002 00000000               Result: 0x09
    Mask:
        00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00010000 0A636300 C0A8964D 238C0002 00000000               Result: 0x09
    Mask:
        00008300 00010000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00010000 0A636300 C0A8964D 02030002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00000000 0A636300 C0A86615 06980002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00000000 0A636300 C0A86616 06980002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00000000 0A636300 C0A864D2 20FB0002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008100 00000000 0A636300 C0A86612 13C40002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF C0000000 00000000
    Value:
        00008100 00000000 0A636300 C0A86612 40000002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00000000 0A636300 C0A86426 00500002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00000000 0A636300 C0A866A2 0C380002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00000000 0A636300 C0A866A5 0C380002 00000000               Result: 0x09
    Mask:
        00008300 00000000 FFFFFF00 FFFFFFFF FFFF0000 00000000
    Value:
        00008200 00000000 0A636300 C0A866A6 0C380002 00000000               Result: 0x09
    Mask:
        00008300 00100000 FFFFFF00 FFFF0000 00000000 00000000
    Value:
        00008100 00100000 0A636300 C0A80000 00000002 00000000               Result: 0x09
    Mask:
        00008300 0000FFFE FFFFFF00 FFFF0000 00000000 00000000
    Value:
        00008200 00001F48 0A636300 C0A80000 00000002 00000000               Result: 0x09
    Mask:
        00008300 00200000 FFFFFF00 FFFF0000 00000000 00000000
    Value:
        00008100 00200000 0A636300 C0A80000 00000002 00000000               Result: 0x09
    Mask:
        00008044 00000000 FFFFFF00 FFFF0000 00000000 00000000
    Value:
        00008044 00000000 0A636300 C0A80000 00000000 00000000               Result: 0x05
    Mask:
        00008044 00000000 FFFFFF00 FFFF0000 00000000 00000000
    Value:
        00008040 00000000 0A636300 C0A80000 00000000 00000000               Result: 0x07
    Mask:
        00008000 00000000 00000000 00000000 00000000 00000000
    Value:
        00008000 00000000 00000000 00000000 00000002 00000000               Result: 0x09
        L4Ops: dst range 67 68, src gt 1023, dst range 16384 32767,
         dst range 10000 20000, src range 8008 8009, src range 32768 61000
  Multicast Boundary: (none), 0 VMRs.
  uRPF : (none), 0 VMRs.
  MDNS : (none) portlabel 0
Output Features:
  Interfaces or VLANs:
  Bridge Group Member: no
  Vlan Map: (none)
  Access Group: (none), 0 VMRs.

IPv6 ACL label
--------------

Input Op Select Index 255:
Output Op Select Index 255:
Input Features:
  Interfaces or VLANs:
  Traffic Filter: (none), 0 VMRs.
uRPF ACL:
  uRPF ACL : (none), 0 VMRs.
  MDNS V6 : (none)  portlabel 0
Output Features:
  Interfaces or VLANs:
  Traffic Filter: (none), 0 VMRs.
cat-3560cx-12-1#
cat-3560cx-12-1#sho run int vl 310
Building configuration...

Current configuration : 289 bytes
!
interface Vlan310
 description Cat-3560cx-12-1-office-Guest
 ip address 10.99.99.78 255.255.255.240
 ip access-group Guest in
 ip helper-address 192.168.100.25
 ip helper-address 192.168.102.25
 no ip redirects
 no ip proxy-arp
 ip verify unicast reverse-path
 ip pim sparse-mode
end

cat-3560cx-12-1#sho access-lists Guest
Extended IP access list Guest
    10 permit ip any 10.99.99.0 0.0.0.255
    20 permit udp any any range bootps bootpc (6 matches)
    30 permit udp 10.99.99.0 0.0.0.255 host 192.168.100.20 eq domain (20 matches)
    40 permit udp 10.99.99.0 0.0.0.255 host 192.168.102.133 eq domain (20 matches)
    50 permit udp 10.99.99.0 0.0.0.255 host 192.168.120.14 eq non500-isakmp
    60 permit udp 10.99.99.0 0.0.0.255 host 192.168.120.14 eq isakmp
    70 permit esp 10.99.99.0 0.0.0.255 host 192.168.120.14
    80 permit ahp 10.99.99.0 0.0.0.255 host 192.168.120.14
    90 permit udp 10.99.99.0 0.0.0.255 any eq ntp
    100 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.100.35 eq www
    110 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.100.20 eq 443
    120 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.102.133 eq 443
    130 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.102.81 eq 443
    140 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.100.35 eq 443
    150 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.150.77 eq 9100
    160 permit tcp 10.99.99.0 0.0.0.255 gt 1023 host 192.168.150.77 eq lpd
    170 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.21 eq 1688
    180 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.22 eq 1688
    190 permit tcp 10.99.99.0 0.0.0.255 host 192.168.100.210 eq 8443
    200 permit udp 10.99.99.0 0.0.0.255 host 192.168.102.18 eq 5060
    210 permit udp 10.99.99.0 0.0.0.255 host 192.168.102.18 range 16384 32767
    220 permit tcp 10.99.99.0 0.0.0.255 host 192.168.100.38 eq www
    230 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.162 eq 3128
    240 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.165 eq 3128
    250 permit tcp 10.99.99.0 0.0.0.255 host 192.168.102.166 eq 3128
    260 permit udp 10.99.99.0 0.0.0.255 192.168.0.0 0.0.255.255 range 10000 20000
    270 permit tcp 10.99.99.0 0.0.0.255 range 8008 8009 192.168.0.0 0.0.255.255
    280 permit udp 10.99.99.0 0.0.0.255 range 32768 61000 192.168.0.0 0.0.255.255
    290 deny ip 10.99.99.0 0.0.0.255 192.168.0.0 0.0.255.255 log
    300 permit ip any any (115 matches)
cat-3560cx-12-1#

I know the source mask in the ACL doesn't match the subnet of the interface, however it covers it - 10.99.99.0/24 covers 10.99.99.64/28.

MHM Cisco World · ‎04-24-2022

Hi there is some bug with guest VLAN, but it not for this IOS ver.
But let try one think,
I think that you config guest VLAN as aaa authentication failed or critical can you remove this line and test by connect client to VLAN access port.

andrew.butterworth · ‎04-24-2022

Yes, I did a simple port config with just 'switchport access vlan 310' and the behaviour is the same. Its the ACL on the SVI that isn't working as expected.

I'm fairly sure this is a bug and its been there a while. The older C3560X switch I have works as expected with the same config (different SVI IPv4 address - 10.99.99.0/27, however the same ingress ACL) . The output to the 'show platform acl label x detail' on the C3560X running 15.2(4)E10 looks the same as the C3560CX.

I don't have support on either of these C3560CX's so TAC isn't an option unfortunately.

andrew.butterworth · ‎04-25-2022

OK. So playing around with this a bit more and it looks like the dot1x configuration is somehow interfering.

I am sure I did this last week and it worked as I described, however that could have been with the 15.2(7)E6 and I've since downgraded this switch to 15.2(7)E5.

If I just put the access port into the Guest VLAN and remove all the dot1x configuration it works as expected and the traffic is denied by the ACL attached to the SVI. If I apply the dot1x config and stop the supplicant on the PC so it fails authentication and gets assigned to the Guest VLAN the traffic bypasses the ACL.

This is an IBNS 1.0 configuration. The interface configuration and the output to some of the dot1x stuff is attached below.

interface GigabitEthernet1/0/3
 description docking-station
 switchport access vlan 300
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 305
 switchport port-security maximum 3
 switchport port-security maximum 2 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security violation restrict
 switchport port-security aging time 3
 switchport port-security aging type inactivity
 switchport port-security
 no logging event link-status
 srr-queue bandwidth share 1 70 25 5
 srr-queue bandwidth shape  3 0 0 0
 priority-queue out
 ipv6 nd raguard attach-policy host-policy
 ipv6 snooping attach-policy policy1
 ipv6 dhcp guard
 authentication event fail retry 1 action authorize vlan 310
 authentication event server dead action authorize vlan 310
 authentication event no-response action authorize vlan 310
 authentication event server alive action reinitialize
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation replace
 mab
 no snmp trap link-status
 dot1x pae authenticator
 spanning-tree portfast edge
 service-policy input IPPHONE+PC-BASIC
 ip verify source smartlog
 ip verify source
 ip dhcp snooping limit rate 100
!
cat-3560cx-12-1#sho authentication sessions interface gigabitEthernet 1/0/3 details
            Interface:  GigabitEthernet1/0/3
          MAC Address:  e8d8.d1ee.dd76
         IPv6 Address:  Unknown
         IPv4 Address:  10.99.99.72
            User-Name:  e8d8d1eedd76
          Device-type:  Microsoft-Workstation
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
       Session Uptime:  312s
    Common Session ID:  C0A8FFF80000002008F4AF72
      Acct Session ID:  0x00000013
               Handle:  0xB400000D
       Current Policy:  POLICY_Gi1/0/3

Local Policies:
        Service Template: GUEST_VLAN_Gi1/0/3 (priority 150)
           Vlan Group:  Vlan: 310

Method status list:
      Method            State

      dot1x              Stopped
      mab                Stopped

cat-3560cx-12-1#sho service-template GUEST_VLAN_Gi1/0/3
    Name                     :  GUEST_VLAN_Gi1/0/3
    Description              :  NONE
    VLAN                     :  310
    URL_Redirect URL         :  NONE
    URL-Redirect Match ACL   :  NONE
    Idle timeout             :  NONE
    Absolute-Timer           :  NONE
    Linksec Policy           :  NONE
    Input Qos Policy         :  NONE
    Output Qos Policy        :  NONE
    SGT Value                :  NONE


cat-3560cx-12-1#sho policy-map type control subscriber POLICY_Gi1/0/3
POLICY_Gi1/0/3
  event session-started match-all
    10 class always do-until-failure
      10 authenticate using dot1x retries 1 retry-time 0 priority 10
  event authentication-failure match-first
    5 class DOT1X_FAILED do-until-failure
      10 activate service-template AUTH_FAIL_VLAN_Gi1/0/3
      20 authorize
    10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
      10 activate service-template CRITICAL_AUTH_VLAN_Gi1/0/3
      20 authorize
      30 pause reauthentication
    20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
      10 pause reauthentication
      20 authorize
    30 class DOT1X_TIMEOUT do-until-failure
      10 terminate dot1x
      20 activate service-template GUEST_SUPP_VLAN_Gi1/0/3
      30 authorize
    40 class DOT1X_NO_RESP do-until-failure
      10 terminate dot1x
      20 authenticate using mab priority 20
    50 class MAB_FAILED do-until-failure
      10 terminate mab
      20 activate service-template GUEST_VLAN_Gi1/0/3
      30 authorize
    70 class always do-until-failure
      10 terminate dot1x
      20 terminate mab
      30 authentication-restart 60
  event agent-found match-all
    10 class always do-until-failure
      10 terminate mab
      20 authenticate using dot1x retries 1 retry-time 0 priority 10
  event aaa-available match-all
    10 class IN_CRITICAL_VLAN do-until-failure
      10 clear-session
    20 class NOT_IN_CRITICAL_VLAN do-until-failure
      10 resume reauthentication
  event authentication-success match-all
    10 class always do-until-failure
      10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
  event violation match-all
    10 class always do-until-failure
      10 replace
cat-3560cx-12-1#

andrew.butterworth · ‎04-25-2022

OK. So I've got a workaround, however I still think this is a bug and I shouldn't need to apply this workaround.

If I apply the Guest ACL directly to the L2 switchport (regardless of whether its attached to the SVI) the logic works as long as the RADIUS server sends an ACL as a Cisco AV-pair as this will take precedence over the interface ACL (currently ip:inacl#10=permit ip any any). Users that drop onto the guest VLAN (failed or no supplication) hit the interface ACL.