cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2631
Views
6
Helpful
4
Replies
Highlighted
Beginner

Cisco ISE 1.2 Checking DACL Syntax

Greetings,

When we first set up all of the DACLs for our ISE deployment, it was explained to us that the "!" was a replacement for the "remark" entry on the access list, but when I utilize the "Check DACL Syntax", ISE tells me that my statements are improper:

"

Line 13 - In "! permit tcp any any eq 80", argument #1 "!" is not valid. Legal option(s):

  permit

  deny

  remark

  no

"

It doesn't appear that my DACLs are giving any errors when is use, so is this just an aesthetic error or do I need to go through and change all fo my DACLs to reflect this?

Thank You for any input!


1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hello David,

I guess there are many more keywords and format that "check DACL syntax" doesn't approve but they do work. A customer wanted to use a keyword ESTABLISHED so I created an ACE and clicked save.

"permit tcp any any established"

It gives me a pop-up stating "syntax check of the DACL content has failed, do you want to submit anyway.

I clicked yes and moved ahead. I then check the dacl syntax and it says

Line 1 - In "permit tcp any any established", argument #5 "established" is not valid.

 

Finally, I  tested this on dot1x configured switch and the output of 'show ip access-list interface <interface-id>' shows it in downloaded access-list. Even though the syntax was not approved by the ISE we still manage to download it to the switch.

 

In your case if you are using remarks with dot1x and mab, please keep a watch on this defect

CSCuj35704    Remark in DACL causing dot1x and MAB authorization failure

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~Jatin

View solution in original post

4 REPLIES 4
Highlighted
Rising star

It is an incorrect format for ISE , please refer correct format from

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_authz_polprfls.html#wp1231465

Highlighted

Salodh, 

 

While I appreciate that you took the time to reply to me, your response does not actually address my question, and the link you provided does not discuss the "Remark" command at all.   

 

Please feel free to re-read my question, and provide additional assistance if you are able.

 

 

Thank You.

 

 

 

Highlighted
Enthusiast

While IOS allows the use of the ! character instead of "remark", ISE does not, and as a result you get the warning message you're seeing.

Javier Henderson

Cisco Systems

Highlighted
Cisco Employee

Hello David,

I guess there are many more keywords and format that "check DACL syntax" doesn't approve but they do work. A customer wanted to use a keyword ESTABLISHED so I created an ACE and clicked save.

"permit tcp any any established"

It gives me a pop-up stating "syntax check of the DACL content has failed, do you want to submit anyway.

I clicked yes and moved ahead. I then check the dacl syntax and it says

Line 1 - In "permit tcp any any established", argument #5 "established" is not valid.

 

Finally, I  tested this on dot1x configured switch and the output of 'show ip access-list interface <interface-id>' shows it in downloaded access-list. Even though the syntax was not approved by the ISE we still manage to download it to the switch.

 

In your case if you are using remarks with dot1x and mab, please keep a watch on this defect

CSCuj35704    Remark in DACL causing dot1x and MAB authorization failure

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~Jatin

View solution in original post

Content for Community-Ad