topic Re: It's not only the problem, in Network Access Control

ISE: support for IPv6 DACL's

Phillip Macey — Wed, 13 Mar 2019 00:44:58 GMT

Hi,

Does anyone know if/when ISE will be able to push out IPv6 dynamic acl's? I have not managed to find any information on this other than an old post here: https://supportforums.cisco.com/discussion/11795676/ise-support-ipv6-dynamic-acls

Thanks,

Phill Macey

ISE 1.3 do not support IPV6

Venkatesh Attuluri — Tue, 06 Jan 2015 14:21:53 GMT

ISE 1.3 do not support IPV6 as of now but its in road map

It's not supported as of the

Marvin Rhoads — Wed, 07 Jan 2015 02:22:02 GMT

It's not supported as of the current ISE 1.3.

I've heard it is planned for a future release but there's no announced or committed date as of yet.

If your're working with a partner or Cisco account manager, be sure to officially request it if it's important to you. Customer requests help build the business case for prioritizing the features.

It would seem that ISE 2.0

Phillip Macey — Mon, 30 Nov 2015 02:26:22 GMT

It would seem that ISE 2.0 has added support for IPv6 dACL's. I have not yet tried it out.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html#pgfId-592126

It's not only the problem,

Johannes Luther — Thu, 24 Mar 2016 12:06:22 GMT

It's not only the problem, whether the ISE supports pushing of IPv6 dACLs or not. It's already possible - even with ISE version 1.4 using Cisco AVPs:

cisco-av-pair = ipv6:inacl#1=<IPv6-ACL-LINE-1>
cisco-av-pair = ipv6:inacl#2=<IPv6-ACL-LINE-2>
cisco-av-pair = ipv6:inacl#n=<IPv6-ACL-LINE-n>

So the ISE can do this very easily within autorization profiles.

The problem is mainly the switch hardware platforms supporting IPv6 dACLs.

From what I know IPv6 dACLs are currently only supported on the new IOS-XE platforms (3650, 3850 maybe 4500-S8). For all the still current platforms this is not supported (like Cat2960S, 2960X, Cat6k). Hopefully Cisco will introduce support for these platforms as well. Honestly I'm not seeing a lot of people which actually use the 3650 and 3850 in the access layer (yet).

Maybe someone from Cisco sees this and state if this IPv6 dACL will be supported on these platforms as well.

I did not know you could do

Phillip Macey — Thu, 31 Mar 2016 05:01:19 GMT

I did not know you could do that with the cisco-av-pair. Thanks for mentioning it!

Re: It's not only the problem,

andrew.butterworth — Mon, 08 Mar 2021 22:22:23 GMT

Is the IPv6 dACL issue still there on the 2960X switches?

I was doing some testing and thought configuring with the IBNS 2.0 style configuration rather than the legacy style might fix this, however it doesn't.

If an AV-Pair is presented with 'ipv6:inacl#xxxxxxx' then authentication just fails and you get a dot1x override message in the log

Mar  8 20:54:59.752: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (40b0.340b.bb45) on Interface Gi1/0/1 AuditSessionID C0A8F73300000025029F22A6

If you remove the ipv6 acl av-pair the device authenticates OK. ipv4 acl av-pair works fine.