01-19-2023 03:02 PM
Hey everyone,
New to DNA and setting up my first. I've got our Enterprise Interface configured as well as Management Interface that we'll be using to access GUI and manage. My question is, what interfaces is the IP Access Control list applied to? Is it all?
I've tried enabling it and putting in the networks we want to be able to access DNA from, and it seems to work. I'm able to browse to the IP and sign in. However I am no longer able to discover devices and receive an error message that says "Your IP address is not allowed". I've tried adding in the network and even the host IP of the devices I'm trying to discover, but I still get the same error message. Thoughts?
Thanks!
01-20-2023 09:57 AM
The intended design is that all your network devices are reached via the Enterprise interface on DNA. During discovery DNA will try to reach the network devices using both physical and virtual Enterprise IP addresses, so my guess is that your ACL is blocking one of those. This is also important to consider for any ACLs you have applied to your SNMP community or VTY's.
In the old IOS days we used to use "log" keyword on an ACL deny statements to troubleshoot what traffic was getting blocked. I think that still works on IOS-XE too.
01-20-2023 10:23 AM
I've got the both the physical and virtual IP addresses of the Enterprise interface of DNA added to both my SNMP and VTY ACLs on the actual switch.
But I'm referring to the IP Access Control List of DNA. I've added in the device's IP address into the IP Access Control List of DNA. However I still get the error message that my IP address is not allowed. I've tested with a Windows Workstation and with IP Access Control enabled, if I try to browse to DNA, I get a blank screen in my browser with a simple error message "Your IP Address is not allowed". If I add the IP address of said Windows Workstation, I get the login screen of DNA and am able to sign in.
01-20-2023 11:03 AM
Oh, I understand now. I have not played around with Settings->IP Access Control. It sounds to me like you'll need open a TAC case to have them do some troubleshooting. There aren't any advanced settings available which means this feature should "just work" as expected.
01-20-2023 11:29 AM
Thanks Preston.
Yeah for the most part it does work. In the sense that if the IP address or network is not in the list, you cannot access DNA's GUI and you get the error message "Your IP address is not allowed" in your browser window. Just seems strange that it would have an affect on discovering devices considering that discovery process (one would think) would be outbound traffic, not inbound. Even tested SSH from switch to DNA with Access Control enabled and I was able to get login prompt and sign in. So not sure what would be cause for device discovery to fail.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide