OPERATIONAL DEFECT DATABASE
...
...
ip vrf MGMT rd 1:100 sh run | s SSH_IPV6 ipv6 access-list ACL-MGMT-ALLOW_SSH_IPV6 sequence 10 permit ipv6 host FDFF:XXX:YYY:Z::1 any sequence 20 deny ipv6 any any log line vty 0 4 ipv6 access-class ACL-MGMT-ALLOW_SSH_IPV6 in vrfname MGMT issue #1 - SSH session permitted as per ACL %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: FDFF:XXX:YYY:Z::1] [localport: 22] -> ACL counters are not increasing issue #2 - SSH session not permitted as per ACL %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: FDFF:XXX:YYY:Z::6] [localport: 22] -> SSH connections should be blocked, but aren't, ACL counters are not increasing
HW = C1121 SW = IOS XE 17.9.4a vrf config = ip vrf MGMT
vrf definition MGMT rd 1000:1 ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family
IOS CLI should inform us that vrf MGMT is not fully enabled for IPv6 stack The access-class is ignored since its an IPv6 ACL tied to a VRF. If using ip vrf NAME that is only for IPv4. When using IPv6 need to define the VRF using vrf definition and enable the IPv6 address family.
The Cisco PSIRT has evaluated this issue and determined that it does not have a security impact that requires PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. There is no PSIRT restriction that prohibits making this bug visible. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
