https://community.cisco.com/t5/network-access-control/sgacls-deploy-in-a-reverse-sequence-on-aps/m-p/4845411#M582007 <P>Hi everyone,</P><P>Probably someone faced with the same issue: we use WLC9800CL controller, ISE3.2, APs 9120/9115 and C9000 switches (17.8.1). We are also deploying TrustSec.</P><P>ISE (3.2) &lt;-- SXP --&gt; WLC (17.8.1) -- push config to ap --&gt; AP</P><P>I created a rule in ISE TrustSec Matrix. Global Default - Permit IP, last personal on cell "Default - Deny IP".</P><P>For example, we have SGT16 and SGT100. I want to block everything from SGT100 except ICMP and back traffic (allow replies from external requests).</P><P>PERMIT_ICMP SGACL:</P><P>&nbsp;</P><LI-CODE lang="markup">permit icmp</LI-CODE><P>&nbsp;</P><P>BACK_PRINT SGACL:&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">permit tcp src eq 443 permit tcp src eq 9100 permit tcp src range 721 731 permit tcp src eq 515 permit udp src eq 161</LI-CODE><P>&nbsp;</P><P>I open cell where SGT16 as source and SGT100 as destination, add rules in that sequence (uo to down):</P><P>PERMIT_ICMP,&nbsp;BACK_PRINT and the last DEFAULT rule Deny IP. Then deploy matrix.</P><P>If I connect through the switch everything works fine. However, if I connect with WiFi (through Cisco AP) all packets will be dropped.</P><P>I check role-based permissions on both devices and found that switch see them as:</P><P>IPv4 Role-based permissions from group 100:SGT_DEV_PRINT to group 16:SGT_DPT_IT:</P><P>&nbsp;</P><LI-CODE lang="markup">PERMIT_ICMP-03 BACK_PRINT-07 Deny IP-00</LI-CODE><P>&nbsp;</P><P>and AP:</P><P>&nbsp;</P><LI-CODE lang="markup">100 16 Deny_IP, BACK_PRINT, PERMIT_ICMP</LI-CODE><P>&nbsp;</P><P>like in reverse format. If I remove Deny_IP everything starts working again.</P><P>I tried to add&nbsp;DENY_ICMP to the last of list instead of Default Deny IP and got problems again. You can see the list of rules from AP:</P><P>&nbsp;</P><LI-CODE lang="markup">100 16 DENY_ICMP, BACK_PRINT, PERMIT_ICMP</LI-CODE><P>&nbsp;</P><P>It's fun, if I add the last rule SGACL DENY_ANY (deny ip) the rule for SGT 100 16 would be disappeared totally.</P><P>What's wrong in with my ACL?</P><P>APs Log:</P><P>&nbsp;</P><LI-CODE lang="markup">May 30 13:02:54 kernel: [*05/30/2023 13:02:54.3858] pattern 6: warning: relation '&lt;= 65535' is always true (range 0-65535) May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl': May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] pattern 6: warning: relation '&lt;= 65535' is always true (range 0-65535) May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl': May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] pattern 6: warning: relation '&lt;= 65535' is always true (range 0-65535)</LI-CODE><P>&nbsp;</P><P>Thanks!</P> Tue, 30 May 2023 13:21:16 GMT Heaven_Bay 2023-05-30T13:21:16Z https://community.cisco.com/t5/network-access-control/sgacls-deploy-in-a-reverse-sequence-on-aps/m-p/4845411#M582007 <P>Hi everyone,</P><P>Probably someone faced with the same issue: we use WLC9800CL controller, ISE3.2, APs 9120/9115 and C9000 switches (17.8.1). We are also deploying TrustSec.</P><P>ISE (3.2) &lt;-- SXP --&gt; WLC (17.8.1) -- push config to ap --&gt; AP</P><P>I created a rule in ISE TrustSec Matrix. Global Default - Permit IP, last personal on cell "Default - Deny IP".</P><P>For example, we have SGT16 and SGT100. I want to block everything from SGT100 except ICMP and back traffic (allow replies from external requests).</P><P>PERMIT_ICMP SGACL:</P><P>&nbsp;</P><LI-CODE lang="markup">permit icmp</LI-CODE><P>&nbsp;</P><P>BACK_PRINT SGACL:&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">permit tcp src eq 443 permit tcp src eq 9100 permit tcp src range 721 731 permit tcp src eq 515 permit udp src eq 161</LI-CODE><P>&nbsp;</P><P>I open cell where SGT16 as source and SGT100 as destination, add rules in that sequence (uo to down):</P><P>PERMIT_ICMP,&nbsp;BACK_PRINT and the last DEFAULT rule Deny IP. Then deploy matrix.</P><P>If I connect through the switch everything works fine. However, if I connect with WiFi (through Cisco AP) all packets will be dropped.</P><P>I check role-based permissions on both devices and found that switch see them as:</P><P>IPv4 Role-based permissions from group 100:SGT_DEV_PRINT to group 16:SGT_DPT_IT:</P><P>&nbsp;</P><LI-CODE lang="markup">PERMIT_ICMP-03 BACK_PRINT-07 Deny IP-00</LI-CODE><P>&nbsp;</P><P>and AP:</P><P>&nbsp;</P><LI-CODE lang="markup">100 16 Deny_IP, BACK_PRINT, PERMIT_ICMP</LI-CODE><P>&nbsp;</P><P>like in reverse format. If I remove Deny_IP everything starts working again.</P><P>I tried to add&nbsp;DENY_ICMP to the last of list instead of Default Deny IP and got problems again. You can see the list of rules from AP:</P><P>&nbsp;</P><LI-CODE lang="markup">100 16 DENY_ICMP, BACK_PRINT, PERMIT_ICMP</LI-CODE><P>&nbsp;</P><P>It's fun, if I add the last rule SGACL DENY_ANY (deny ip) the rule for SGT 100 16 would be disappeared totally.</P><P>What's wrong in with my ACL?</P><P>APs Log:</P><P>&nbsp;</P><LI-CODE lang="markup">May 30 13:02:54 kernel: [*05/30/2023 13:02:54.3858] pattern 6: warning: relation '&lt;= 65535' is always true (range 0-65535) May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl': May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] pattern 6: warning: relation '&lt;= 65535' is always true (range 0-65535) May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl': May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] pattern 6: warning: relation '&lt;= 65535' is always true (range 0-65535)</LI-CODE><P>&nbsp;</P><P>Thanks!</P> Tue, 30 May 2023 13:21:16 GMT https://community.cisco.com/t5/network-access-control/sgacls-deploy-in-a-reverse-sequence-on-aps/m-p/4845411#M582007 Heaven_Bay 2023-05-30T13:21:16Z