Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
154
Views
0
Helpful
0
Replies

C3650 16.12.12 IPv6 dACL bug maybe?

andrew.butterworth
Level 7
Level 7

‎02-27-2025 06:10 AM - edited ‎02-27-2025 06:15 AM

Apologies in advance for the cross-post as I've also posted this in the IPv6 section.

I'm doing IBNS 2.0 dot1x/MAB in closed mode and I'm pushing some IPv4 and IPv6 ACLs via RADIUS to some C3650 switches running the latest IOS-XE 16.12.12.  After digging through documentation to understand how to display the dACLs that are applied, it looks like there is a bug.  Reading through the documentation here - Validate Security ACLs on Catalyst 9000 Switches - Cisco

I am using the command 'show access-session interface x/x/x detail' to determine the IIF-ID and the IPv4 and IPv6 dACLs that get downloaded.  I'm then using the command 'show platform software fed switch active acl interface 0x0000' to show the ACLs and the CG ID of the two ACL's that are applied.  Finally I'm using the command 'show platform software fed switch active acl info acl-grp-cgid xxxxx' to expand out the ACLs from the two CG IDs from the last command.  This is the output:

 

cat-3650#show access-session interface gigabitEthernet 1/0/4 details
            Interface:  GigabitEthernet1/0/4
               IIF-ID:  0x1D524DE7
          MAC Address:  d89e.f373.5c34
         IPv6 Address:  xxxx:xxxx:xxxx:xxxx:c15e:d995:f2f8:580
                        fe80::7f84:275e:3c42:4081
                        xxxx:xxxx:xxxx:xxxx:3149:8e93:6e14:52a3
                        xxxx:xxxx:xxxx:xxxx:f962:3283:f195:6686
                        xxxx:xxxx:xxxx:xxxx:1947:7a61:7d41:e297
         IPv4 Address:  192.168.80.1
            User-Name:  host/workstation.domain.local
          Device-type:  Microsoft-Workstation
          Device-name:  MSFT 5.0
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  14400s (server), Remaining: 10041s
       Timeout action:  Reauthenticate
  Acct update timeout:  172800s (local), Remaining: 168441s
    Common Session ID:  0A3E01FE000000F646DEBB7A
      Acct Session ID:  0x00000194
               Handle:  0xcb0000e6
       Current Policy:  Dot1x-MAB-Guest-Default


Local Policies:
        Service Template: AUTH_PASS_VLAN_SRV_TEMPLATE (priority 150)
           Vlan Group:  Vlan: 10

Server Policies:
      Session-Timeout: 14400 sec
         Per-User ACL: Gi1/0/4#v4#1d524de7
                     : permit ip any 192.168.0.0 0.0.255.255
         Per-User ACL: Gi1/0/4#v4#1d524de7
                     : permit ip any any
         Per-User ACL: Gi1/0/4#v6#1d524de7
                     : permit ipv6 any xxxx:xxxx:xxxx::/48
         Per-User ACL: Gi1/0/4#v6#1d524de7
                     : permit ipv6 any any
            SGT Value:  4


Method status list:
       Method           State
        dot1x           Authc Success
          mab           Stopped




cat-3650#show platform software fed switch active acl interface 0x1D524DE7
########################################################
########                              ##################
#######    Printing Interface Infos    #################
########                              ##################
########################################################

INTERFACE: Client MAC d89e.f373.5c34
MAC d89e.f373.5c34
########################################################
    intfinfo: 0xffd00f4bd8
    Interface handle: 0x18000158
    Interface Type: Group
    if-id: 0x000000001d524de7
    Input IPv6: Policy Handle: 0x8f000169
        Policy Name: IPV4_PRE_AUTH_ACL:Gi1/0/4#v6#1d524de7:Gi1/0/4#v4#1d524de7:
             CG ID: 68896
       CGM Feature: [35] acl-grp
        Bind Order: 0

    Input IPv4: Policy Handle: 0xe40001c1
        Policy Name: IPV4_PRE_AUTH_ACL:Gi1/0/4#v6#1d524de7:Gi1/0/4#v4#1d524de7:
             CG ID: 68880
       CGM Feature: [35] acl-grp
        Bind Order: 0




cat-3650#show platform software fed switch active acl info acl-grp-cgid 68896
########################################################
#########                             ##################
########      Printing CG Entries      #################
#########                             ##################
########################################################
===================================
ACL CG (acl-grp/68896): IPV4_PRE_AUTH_ACL:Gi1/0/4#v6#1d524de7:Gi1/0/4#v4#1d524de7: type: IPv6
Total Ref count 1
---------------------------------
1 CGACL
---------------------------------
  region reg_id: 1
    subregion subr_id: 0
      GCE#:10 #flds: 2 l4:N matchall:N deny:N
        Result: 0x04000000
        ipv6_dst: start = 20019999999900000000000000000000, prefix length = 48
        ipv6_src: start = 00000000000000000000000000000000, prefix length = 0
      GCE#:20 #flds: 2 l4:N matchall:N deny:N
        Result: 0x04000000
        ipv6_dst: start = 00000000000000000000000000000000, prefix length = 0
        ipv6_src: start = 00000000000000000000000000000000, prefix length = 0



cat-3650#show platform software fed switch active acl info acl-grp-cgid 68880
########################################################
#########                             ##################
########      Printing CG Entries      #################
#########                             ##################
########################################################
===================================
ACL CG (acl-grp/68880): IPV4_PRE_AUTH_ACL:Gi1/0/4#v6#1d524de7:Gi1/0/4#v4#1d524de7: type: IPv4
Total Ref count 1
---------------------------------
1 CGACL
---------------------------------
  region reg_id: 1
    subregion subr_id: 0
      GCE#:10 #flds: 2 l4:N matchall:N deny:N
        Result: 0x04000000
        ipv4_src: value = 0x00000000, mask = 0x00000000
        ipv4_dst: value = 0xc0a80000, mask = 0xffff0000
      GCE#:20 #flds: 2 l4:N matchall:N deny:N
        Result: 0x04000000
        ipv4_src: value = 0x00000000, mask = 0x00000000
        ipv4_dst: value = 0x00000000, mask = 0x00000000
    subregion: 1 jumpto reg_idx 65535 subr_idx 65535
      GCE#:10 #flds: 4 l4:Y matchall:N deny:N
        Result: 0x04000000
        ipv4_src: value = 0x00000000, mask = 0x00000000
        ipv4_dst: value = 0x00000000, mask = 0x00000000
        ip_prot: start = 17, end = 17
        l4_dst: start = 68, end = 68
      GCE#:20 #flds: 4 l4:Y matchall:N deny:N
        Result: 0x04000000
        ipv4_src: value = 0x00000000, mask = 0x00000000
        ipv4_dst: value = 0x00000000, mask = 0x00000000
        ip_prot: start = 17, end = 17
        l4_dst: start = 67, end = 67
      GCE#:30 #flds: 4 l4:Y matchall:N deny:N
        Result: 0x04000000
        ipv4_src: value = 0x00000000, mask = 0x00000000
        ipv4_dst: value = 0x00000000, mask = 0x00000000
        ip_prot: start = 17, end = 17
        l4_dst: start = 53, end = 53
      GCE#:40 #flds: 2 l4:N matchall:N deny:Y
        Result: 0x04000000
        ipv4_src: value = 0x00000000, mask = 0x00000000
        ipv4_dst: value = 0x00000000, mask = 0x00000000

cat-3650#

 

My IPv4 addressing is RFC1918 so I've not masked it in the above, but my IPv6 addressing is real, so I've partially masked it.

Looking at the output to the 2nd command, it shows 'Input IPv6 policy' is 'IPV4_PRE_AUTH_ACL:Gi1/0/4#v6#1d524de7:Gi1/0/4#v4#1d524de7' and this is combined to create CG ID 68896 - look at the start 'IPV4_PRE_AUTH_ACL' - this looks wrong as this is the IPv4 PACL.

And the 'Input IPv4 policy' is 'IPV4_PRE_AUTH_ACL:Gi1/0/4#v6#1d524de7:Gi1/0/4#v4#1d524de7' and this is combined to create the CG ID 68880.  The 3rd and 4th commands expand out the ACLs for the two CG IDs; however, the IPv6 one only contains the IPv6 dACL that was pushed down, rather than the PACL that is added as this is a 'closed' interface.  The two lines 'ip access-group IPV4_PRE_AUTH_ACL in' and 'ipv6 traffic-filter IPV6_PRE_AUTH_ACL in' are applied to the switchport.  This is the full switchport config:

 

interface GigabitEthernet1/0/4
 description ** Port for Endpoints with Voice VLAN dot1x closed **
 switchport access vlan 999
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 20
 device-tracking attach-policy IPDT_POLICY
 ip access-group IPV4_PRE_AUTH_ACL in
 ipv6 traffic-filter IPV6_PRE_AUTH_ACL in
 authentication periodic
 authentication timer reauthenticate server
 access-session host-mode multi-domain
 access-session closed
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x timeout supp-timeout 7
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy type control subscriber Dot1x-MAB-Guest-Default
 service-policy input IPPHONE+PC-BASIC
 service-policy output AutoQos-4.0-Output-Policy
 ip nbar protocol-discovery
 ip dhcp snooping limit rate 100

 

It looks like the switch is trying to use the IPv4 PACL rather than the IPv6 PACL but failing to do so and the resulting CG entry only contains the IPv6 dACL sent from RADIUS.  The IPv4 PACL and dACL are correctly combined.

I can only think this is a bug in the logic on the switch.

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents