This took many hours to identify in my new deployment. Cisco had to update the description on defect CSCvk32774 to include port ranges for UDP.
This only happens when we push dACL's from ISE to the 9300 - if the dACL includes a range of ports, the 9300 will randomly fail to apply some of the ACE's. Completely random. In a stack of 3, after a reboot a random member switch with either half the ports will fail or all the ports... or none of the ports.
Later, we found another bug or missing feature:
Defect: CSCvg79644 - this hasn't been updated yet. It affects 16.6.X and from what we're told 16.8.x too - and it doesn't only affect the 3850, the 9300 should be listed too.
Now that the issues have been identified, Cisco is working hard with us to get them fix.
Anyone else using the 9300 + ISE?
edit: added 9300 to 79644 defect line.
No comments:
Post a Comment