Support
Community

SKH · ‎07-25-2023

I have a Netvanta 1560 (ASE) switch that appears to have auto-created two ACLs that completely block DHCP traffic. I tested that I can create a new ACL and delete it but I can't remove the auto-created ones. DHCP is provided by the local gateway so I need UDP traffic on DHCP ports 67 & 68 to be open so traffic can pass both directions through the switch. Any ideas how to remove the two DHCP ACLs or change them from 'deny' to 'permit'? I can't find a way to do anything with them in the documentation.

COL-SW-2362052# show access-list ace-status
User
----
S : static
IPSG: ipSourceGuard
IP: IP
IPMC: ipmc
MEP : mep
ARPI: arpInspection
UPnP: upnp
PTP : ptp
DHCP: dhcp
LOOP: loopProtect
LOAM: linkOam

User ID Frame Action Rate L. Mirror CPU Counter Conflict
---- -- ------ ------ -------- -------- ------ ------- -------
LOOP 1 EType Deny Disabled Disabled Yes 273 No
DHCP 1 UDP Deny Disabled Disabled Yes 1 No
DHCP 2 UDP Deny Disabled Disabled Yes 2 No
IP 1 IPv4 Permit Disabled Disabled Yes 0 No
Switch 1 access-list ace number: 4

BradR · ‎07-25-2023

I am not sure how the ACE got created, so can you show the output of your running config with private info redacted?

SKH · ‎07-26-2023

XXXXXXXX# show running-config

Building configuration...

hostname XXXXXXXX

logging on

logging host 192.168.X.X

logging level warning

username XXXXX privilege 15 password encrypted

loop-protect

!

vlan 1

!

snmp-server host Zabbix

no shutdown

host 192.168.X.X 161 informs

version v2 encrypted

!

snmp-server host InterMapper

no shutdown

host 192.168.X.X 161 traps

version v2 encrypted

!

ip name-server 0 192.168.X.X

ip name-server 1 192.168.X.X

ip domain name XXXXXXXXcom

ip helper-address 192.168.X.X

ntp

ntp server 1 ip-address 192.168.X.X

ntp server 2 ip-address 192.168.X.X

clock timezone '' -8

ip http secure-server

ip http secure-redirect

spanning-tree mst name ac-13-9c-19-3c-f0 revision 0

snmp-server contact helpdesk (email)

snmp-server location Data Center

no snmp-server community public

no snmp-server community private

snmp-server user XXXXX engine-id 8000029803ac139c193cf0 md5 encrypted 9957DAE14F558F673981292D801A1A00 priv des encrypted 9957DAE14F558F673981292D801A1A00

no snmp-server security-to-group model v1 name public

no snmp-server security-to-group model v1 name private

no snmp-server security-to-group model v2c name public

no snmp-server security-to-group model v2c name private

snmp-server view default_ro_view .1 include

no snmp-server view default_view .1

snmp-server trap linkUp id 0

snmp-server trap linkDown id 0

snmp-server trap coldStart id 0

snmp-server trap warmStart id 0

snmp-server trap alarmTrapStatus id 0

snmp-server trap psecTrapInterfaces id 0

snmp-server trap psecTrapGlobalsMain id 0

!

interface llag 1

!

interface llag 2

!

voice vlan oui 00-01-E3 description Siemens AG phones

voice vlan oui 00-03-6B description Cisco phones

voice vlan oui 00-0F-E2 description H3C phones

voice vlan oui 00-60-B9 description Philips and NEC AG phones

voice vlan oui 00-D0-1E description Pingtel phones

voice vlan oui 00-E0-75 description Polycom phones

voice vlan oui 00-E0-BB description 3Com phones

!

interface GigabitEthernet 1/1

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/2

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/3

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/4

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/5

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/6

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/7

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/8

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/9

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/10

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/11

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/12

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/13

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/14

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/15

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/16

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/17

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/18

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/19

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/20

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/21

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/22

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/23

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/24

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/25

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/26

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/27

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/28

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/29

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/30

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/31

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/32

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/33

thermal-protect grp 1

speed auto 10 100 1000

aggregation group 2 mode passive

!

interface GigabitEthernet 1/34

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/35

thermal-protect grp 1

speed auto 10 100 1000

aggregation group 2 mode passive

!

interface GigabitEthernet 1/36

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/37

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/38

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/39

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/40

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/41

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/42

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/43

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/44

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/45

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/46

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/47

switchport mode trunk

thermal-protect grp 1

speed auto 10 100 1000

!

interface GigabitEthernet 1/48

switchport mode trunk

thermal-protect grp 1

speed auto 10 100 1000

!

interface 10GigabitEthernet 1/1

thermal-protect grp 1

speed auto

!

interface 10GigabitEthernet 1/2

thermal-protect grp 1

!

interface 10GigabitEthernet 1/3

thermal-protect grp 1

speed 2500

aggregation group 1 mode active

!

interface 10GigabitEthernet 1/4

thermal-protect grp 1

speed 2500

aggregation group 1 mode active

!

interface vlan 1

ip address dhcp fallback 192.168.X.X 255.255.255.0 timeout 60

!

mep os-tlv oui 0xC sub-type 0x1 value 0x2

!

spanning-tree aggregation

spanning-tree link-type point-to-point

!

line console 0

!

line vty 0

!

line vty 1

!

line vty 2

!

line vty 3

!

line vty 4

!

line vty 5

!

line vty 6

!

line vty 7

!

line vty 8

!

line vty 9

!

line vty 10

!

line vty 11

!

line vty 12

!

line vty 13

!

line vty 14

!

line vty 15

!

end

Jeremy1885 · ‎11-21-2023

Did you ever find a solution to this issue? Our DHCP is handled by a Windows server, and I've been back and forth trying to figure out why my 1560 would not complete DHCP requests for anything other than the native VLAN. It looks like this may be the issue for me as well.

lambs · ‎11-21-2023

You'll need to remove the "dhcp fallback" command from your vlan interface. This issue can also occur if you have dhcp snooping enabled. You can check to make sure DHCP isn't being touched by the CPU with the "show access-list ace-status" command. There won't be an entry for DHCP if you've done this correctly.

Jeremy1885 · ‎11-22-2023

@lambs I have removed the "DHCP fallback" from the vlan interface and verified the DHCP snooping is disabled. There are still the two ACL's that show up when running "show access-list ace-status".

1560# show access-list ace-status
User
----
S : static
IPSG: ipSourceGuard
IP: IP
IPMC: ipmc
MEP : mep
ARPI: arpInspection
UPnP: upnp
PTP : ptp
DHCP: dhcp
LOOP: loopProtect
LOAM: linkOam

User ID Frame Action Rate L. Mirror CPU Counter Conflict Remark
---- -- ------ ------ -------- -------- ------ ------- -------- ----------------
DHCP 1 UDP Deny Disabled Disabled Yes 0 No
DHCP 2 UDP Deny Disabled Disabled Yes 5 No
IP 1 IPv4 Permit Disabled Disabled Yes 0 No
S 1 UDP Permit Disabled Disabled No 3 No
S 2 UDP Permit Disabled Disabled No 0 No

Support
Community

Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

SupportCommunity

Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

Re: Auto Created ACLs Blocking DHCP Traffic

Support
Community