OPERATIONAL DEFECT DATABASE
...
...
A Catalyst 9500 with an ACL that contains rules referencing an object-group may fail to forward traffic that is explicitly permitted by a sequence in the ACL that references those object-groups. Example: ip access-list extended OGACL 10 permit udp 192.168.1.0 0.0.0.255 object-group DNS-SERVERS eq domain 20 deny udp any any The behavior seen is that traffic matching sequence 10 in the ACL will not be matched and is dropped by the deny statement. This behavior has been observed on IOS-XE 16.12.4
Catalyst 9500 running IOS-XE 16.12.4 ACL configured that uses object-groups
Expand the object-group ACL into individual entries within the ACL
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
