CISCO-SA-IPSGACL-PG6QFZK

Vulnerable Products:

At the time of publication, this vulnerability affected the following Cisco products if they were running a vulnerable release of Cisco IOS Software and had both an IPv4 ACL and IP Source Guard configured on an interface:

Catalyst 1000 Switches Catalyst 2960-L Series Switches

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory.

Determine the Device Configuration

To determine whether a device has an IPv4 ACL configured on the same interface that is leveraging IP Source Guard, use the show running-config CLI command. Examine the contents under each interface to see if an IPv4 access-group has been configured along with IP Source Guard, which is enabled with the ip verify source command, as shown in the following example:

Switch# show running-config . . <output omitted> . . interface GigabitEthernet1/0/11 switchport access vlan 200 ip access-group DropACL in ip verify source . . <output omitted> . . Switch#

Note: For the IP Source Guard configuration to take effect, IP DHCP snooping must be enabled for the VLAN to which the IP Source Guard and IP access-group is applied. The following example shows DHCP enabled on VLAN 200:

Switch#show ip dhcp snooping Switch DHCP snooping is enabled Switch DHCP gleaning is disabled DHCP snooping is configured on following VLANs: 200 DHCP snooping is operational on following VLANs: 200 . . . output omittedProducts Confirmed Not Vulnerable:

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

IOS Software that is running on platforms not listed in the Vulnerable Products ["#vp"] section of this advisory IOS XE Software IOS XR Software Meraki products NX-OS SoftwareDetails:

Exploitation of this vulnerability could...