OPERATIONAL DEFECT DATABASE
...
...
- VLANs are suspended on interfaces after a VLAN Filter is applied. - At first the only VLANs affected are the ones identified by the 'vlan-list' component of the VLAN Filter. - If the affected interfaces are flapped, the suspension will spread to all VLANs currently hosted on the interfaces that were flapped. The switch will generate logs similar to: - %ETHPORT-3-IF_ERROR_VLANS_SUSPENDED: VLANs 2707 on Interface Ethernet1/2 are being suspended. (Reason: ACL Logging is not supported in egress direction.) - %ETHPORT-5-IF_SEQ_ERROR: Error ("ACL Logging is not supported in egress direction.") communicating with MTS_SAP_SPM for opcode MTS_OPC_ETHPM_PORT_LOGICAL_BRINGUP (RID_PORT: Ethernet1/2)
- Nexus 9000 and 3000 switches - A VACL is configured and tied to an ACL that includes the 'log' keyword. - The VACL is then used in a VLAN Filter for a non-existent VLAN - The non-existent VLAN is configured after the VLAN Filter by doing 'vlan X' where X is the relevant VLAN switch# show ip access-lists TAC_ACL IP access list TAC_ACL 10 permit ip any any log <<<<< switch# show vlan access-map TAC_VACL Vlan access-map TAC_VACL 10 match ip: TAC_ACL <<<<< action: drop vlan filter TAC_VACL vlan-list 2707 switch# show vlan id 2707 VLAN 2707 not found in current VLAN database
- Remove the VLAN Filter configuration or - Remove the 'log' keyword from the ACL used by the VACL After either of the two steps above are done, it is necessary to flap all of the affected interfaces by doing 'shutdown' and then 'no shutdown'.
This behavior is due to egress ACL logging not being supported on Nexus 9000. The sequence of events described above circumvents our normal checks in software for this condition. When the new VLAN is configured, or the link is flapped, the switch attempts to program hardware with an unsupported configuration. *PSIRT Evaluation:* The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
