https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473232#M87454 <P>Greetings, </P><P></P><P></P><P>When we first set up all of the DACLs for our ISE deployment, it was explained to us that the "!" was a replacement for the "remark" entry on the access list, but when I utilize the "Check DACL Syntax", ISE tells me that my statements are improper:</P><P></P><P>"</P><P>Line 13 - In "! permit tcp any any eq 80", argument #1 "!" is not valid. Legal option(s):</P><P>&nbsp; permit</P><P>&nbsp; deny</P><P>&nbsp; remark</P><P>&nbsp; no</P><P></P><P>"</P><P></P><P>It doesn't appear that my DACLs are giving any errors when is use, so is this just an <SPAN style="font-size: 10pt;">aesthetic error or do I need to go through and change all fo my DACLs to reflect this?</SPAN></P><P></P><P></P><P><SPAN style="font-size: 10pt;">Thank You for any input!</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P> Mon, 11 Mar 2019 04:30:09 GMT David Pease 2019-03-11T04:30:09Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473232#M87454 <P>Greetings, </P><P></P><P></P><P>When we first set up all of the DACLs for our ISE deployment, it was explained to us that the "!" was a replacement for the "remark" entry on the access list, but when I utilize the "Check DACL Syntax", ISE tells me that my statements are improper:</P><P></P><P>"</P><P>Line 13 - In "! permit tcp any any eq 80", argument #1 "!" is not valid. Legal option(s):</P><P>&nbsp; permit</P><P>&nbsp; deny</P><P>&nbsp; remark</P><P>&nbsp; no</P><P></P><P>"</P><P></P><P>It doesn't appear that my DACLs are giving any errors when is use, so is this just an <SPAN style="font-size: 10pt;">aesthetic error or do I need to go through and change all fo my DACLs to reflect this?</SPAN></P><P></P><P></P><P><SPAN style="font-size: 10pt;">Thank You for any input!</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P> Mon, 11 Mar 2019 04:30:09 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473232#M87454 David Pease 2019-03-11T04:30:09Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473233#M87462 <P>It is an incorrect format for ISE , please refer correct format from</P><P>http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_authz_polprfls.html#wp1231465</P> Mon, 10 Mar 2014 07:24:29 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473233#M87462 Saurav Lodh 2014-03-10T07:24:29Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473234#M87470 <P>Salodh,&nbsp;</P><P>&nbsp;</P><P>While I appreciate that you took the time to reply to me, your response does not actually address my question, and the link you provided does not discuss the "Remark" command at all. &nbsp;&nbsp;</P><P>&nbsp;</P><P>Please feel free to re-read my question, and provide additional assistance if you are able.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank You.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 11 Mar 2014 13:45:12 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473234#M87470 David Pease 2014-03-11T13:45:12Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473235#M87474 <P>While IOS allows the use of the ! character instead of "remark", ISE does not, and as a result you get the warning message you're seeing.</P><P>Javier Henderson</P><P>Cisco Systems</P> Fri, 14 Mar 2014 15:50:15 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473235#M87474 Javier Henderson 2014-03-14T15:50:15Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473236#M87480 <P>Hello David,</P><P>I guess there are many more keywords and format that "check DACL syntax" doesn't approve but they do work. A customer wanted to use a keyword ESTABLISHED so I created an ACE and clicked save.</P><P>"permit tcp any any established"</P><P>It gives me a pop-up stating "syntax check of the DACL content has failed, do you want to submit anyway.</P><P>I clicked yes and moved ahead. I then check the dacl syntax and it says</P><P>Line 1 - In "permit tcp any any established", argument #5 "established" is not valid.</P><P>&nbsp;</P><P>Finally, I &nbsp;tested this on dot1x configured switch and the output of 'show ip access-list interface &lt;interface-id&gt;' shows it in downloaded access-list. Even though the syntax was not approved by the ISE we still manage to download it to the switch.</P><P>&nbsp;</P><P>In your case if you are using remarks with dot1x and mab, please keep a watch on this defect</P><P>CSCuj35704 &nbsp; &nbsp;Remark in DACL causing dot1x and MAB authorization failure</P><P>&nbsp;</P><P>Regards,</P><P>Jatin Katyal</P><P>**Do rate helpful posts**</P><P>&nbsp;</P> Sun, 16 Mar 2014 00:44:39 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-2-checking-dacl-syntax/m-p/2473236#M87480 Jatin Katyal 2014-03-16T00:44:39Z