Loading...
Loading...
A Catalyst 9500 with an ACL that contains rules referencing an object-group may fail to forward traffic that is explicitly permitted by a sequence in the ACL that references those object-groups. Example: ip access-list extended OGACL 10 permit udp 192.168.1.0 0.0.0.255 object-group DNS-SERVERS eq domain 20 deny udp any any The behavior seen is that traffic matching sequence 10 in the ACL will not be matched and is dropped by the deny statement. This behavior has been observed on IOS-XE 16.12.4
Catalyst 9500 running IOS-XE 16.12.4 ACL configured that uses object-groups
Expand the object-group ACL into individual entries within the ACL
None.
The Cisco PSIRT has evaluated this issue and determined that it does not have a security impact that requires PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. There is no PSIRT restriction that prohibits making this bug visible. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.