Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
999
Views
0
Helpful
6
Replies

Cisco Small Business Switches - access list not working over aggregated link (LACP)

Go to solution
jan.maly1
Level 1
Level 1

‎11-23-2016 04:20 AM

Hello,

I cannot figure this out, hope that some one here will know what the issue could be. We have bought new Cisco switches SG500X small business line, we have two core switches SG500XG-8F8T 16-Port build as stack and SG500X-48P 48-Port Gigabit with 4-Port 10-Gigabit connected to this stack. I have created an aggregated link between these two switches, two links aggregated together using LACP (mode auto). My config is as following and is identical on both switches (Stack and 48P switch), please see the picture in the attachment.

interface Port-channel1
description Trunk_to_10.5.100.33_Ports_XG1&2
switchport trunk allowed vlan add 10,60,100
switchport trunk native vlan 105

interface tengigabitethernet1/2/14
description Trunk_to_10.5.100.33_Port_XG1/1/1
channel-group 1 mode auto

interface tengigabitethernet2/2/14
description Trunk_to_10.5.100.33_Port_XG1/1/2
channel-group 1 mode auto

Access List applied to interface vlan on core stack:

interface vlan 60
ip address 10.5.60.1 255.255.255.0
service-acl input AccessList_Vlan60

When I create access list for certain vlan interface on our core stack and connect my laptop to 48P switch to test the access list, it just completely ignores the access list like there would be no tagging, basically it allows you to go anywhere in that vlan. If i create simple trunk between the stack and 48P switch, port to port, no aggregation, the access list is applied just fine and all is working.

Any one seen this before? I have always dealt with Catalyst switches where I have used PagP and that was working OK every time.

Thank you for help

Jan

Labels:
Preview file
82 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michal Bruncko
Level 4
Level 4

‎11-23-2016 04:49 AM

Hi Jan

seems that here is discussed similar topic to yours. what you can do to reproduce the issue is to change IP address on your laptop with 1 (to change from odd to even number or vice-versa). if you are allowed with current IP, then you should get denied with changed IP address. 

and at the end if you confirm same behavior, then I strongly recommend you to open service request to Support - Small Business Support Center (SBSC in order to get this bug resolved.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Michal Bruncko
Level 4
Level 4

‎11-23-2016 04:49 AM

Hi Jan

seems that here is discussed similar topic to yours. what you can do to reproduce the issue is to change IP address on your laptop with 1 (to change from odd to even number or vice-versa). if you are allowed with current IP, then you should get denied with changed IP address. 

and at the end if you confirm same behavior, then I strongly recommend you to open service request to Support - Small Business Support Center (SBSC in order to get this bug resolved.

0 Helpful

Go to solution
jan.maly1
Level 1
Level 1
In response to Michal Bruncko

‎11-23-2016 05:23 AM

Hello Michal,

Thank you very much for your reply. It seems to be the issue!

I would never believe there could be such a bug, just went to try it, picked one website, it worked with odd IP but didn't with even IP. I tried few others kept changing IPs and i have to say its pretty unreliable.

I have the latest firmware on all equipment and this is quite problem for us as we have no redundancy when we are forced to use just simple trunk. We need to have access lists implemented.

Thank you for answering my question

Kind Regards,

Jan

0 Helpful

Go to solution
Michal Bruncko
Level 4
Level 4
In response to jan.maly1

‎11-23-2016 05:53 AM

just for your info: I get cross all SG500 bugs and I haven't found any bug related to this issue (LAG, VLAN ACL) so the best would be to report this in order to get TAC aware about this issue.

0 Helpful

Go to solution
jan.maly1
Level 1
Level 1
In response to Michal Bruncko

‎11-23-2016 07:09 AM

Will do.

Thank you for your help.

Jan

0 Helpful

Go to solution
Holger Ronecker
Level 1
Level 1
In response to Michal Bruncko

‎05-21-2018 09:03 AM

me too

just in case somebody stumbles over this, I have created a service request 684517426 

0 Helpful

Go to solution
Holger Ronecker
Level 1
Level 1
In response to Holger Ronecker

‎06-15-2018 09:59 AM

I worked with the support team and it is a confirmed bug.

The id is  CSCvj91570


for those with access, you can look it up and follow it here

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj91570

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents