Symptom
Console, Telnet/SSH sessions to the switch hang up and the condition does not clear until a reload is done.
Conditions
Vlan configuration change/add/delete events executed at the time ARP hits the CPU.
device-tracking is enabled either explicitly through command line "device-tracking [attach-policy]" on port or vlan) or implicitly by some other feature such as LISP or cli "ip dhcp snooping vlan X". Run "show device-tracking policies" to confirm.
Switch freezes, drops end user traffic and also stops executing.
Show run/ Show tech-support command is executed.
Affects 16.6.3 and 16.3.6. across all platforms. Code versions earlier to each of the mentioned releases are not impacted
Workaround
The switch will not be recoverable once the condition is hit. Switch will have to be reloaded.
Run the following steps to avoid running into the issue,
Option 1:
1) Disable IP DHCP snooping
No ip dhcp snooping vlan 2-4094
No ip dhcp snooping
2) Disable IPDT/ SISF policy if applied on the interfaces.
Int
no device-tracking attach-policy
3) Make all the desired vlan config changes, restore the cli's remove from step 1) and 2) above.
Option 2 (Intrusive Method, not recommended):
- Enable MAC ACL to temporarily block ARP packets.
- Apply the ACL on all the ports on the switch or modify the respective CoPP policy.
- Make the VLAN changes.
- Remove the MAC ACL from the interface, restore CoPP policy if copp is modified.
Option 3( Intrisive Method):
- Shut down all interfaces
- Make VLAN Changes
- Unshut all the interfaces
Further Problem Description
Switch freezes, drops end user traffic and also does not execute CLI's
