Symptom
ip vrf MGMT
rd 1:100
sh run | s SSH_IPV6
ipv6 access-list ACL-MGMT-ALLOW_SSH_IPV6
sequence 10 permit ipv6 host FDFF:XXX:YYY:Z::1 any
sequence 20 deny ipv6 any any log
line vty 0 4
ipv6 access-class ACL-MGMT-ALLOW_SSH_IPV6 in vrfname MGMT
issue #1 - SSH session permitted as per ACL
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: FDFF:XXX:YYY:Z::1] [localport: 22]
-> ACL counters are not increasing
issue #2 - SSH session not permitted as per ACL
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: FDFF:XXX:YYY:Z::6] [localport: 22]
-> SSH connections should be blocked, but aren't, ACL counters are not increasing
Conditions
HW = C1121
SW = IOS XE 17.9.4a
vrf config = ip vrf MGMT
Workaround
vrf definition MGMT
rd 1000:1
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
Further Problem Description
IOS CLI should inform us that vrf MGMT is not fully enabled for IPv6 stack
The access-class is ignored since its an IPv6 ACL tied to a VRF. If using ip vrf NAME that is only for IPv4. When using IPv6 need to define the VRF using vrf definition and enable the IPv6 address family.
PSIRT Evaluation
The Cisco PSIRT has evaluated this issue and determined that it does not have a security impact that requires PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. There is no PSIRT restriction that prohibits making this bug visible.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html
