I have a customer that have ISE enviorment with to kind of catalyst switches Cisco 9300 and Cisco Model: C1000-version IOS: 15.2(7)E3.
If they take a PC that is alowed to access their organisation and connect to the switchport on the Catalyst 9300 or C1000, the PC will be authenticated and the right dACL will be pushed to the Switch port. And so far this is fine.
If then they try to diconnect the switch-port and try to connect an unauthrzed PC to the same ports on the 9300 and C1000 then the
unauthorized PC will be assigned to Guest Vlan which is expected and fine. Here is my question.
Regarurding to my customer it seems that the Catalyst 1000 keep the dACL remain on the interface even the port has been down and an unauthrzed PC has been connected to gust Vlan. Below here you can se the command that our customer has used on the Cisco 1000.
234XA-XXX#sh platform acl port-info interface gigabitEthernet 1/0/14-04-9
Port : Gi1/0/1
IPV4 : handle = 0x40B0C78
acl_name = RKSK-DEFAULT
dacl_name = EPM_xACSACLx-IP-PERMIT_ALL_TRAFFIC-4fe7f797
is_acl_dacl = 1
is_acl_ipsg = 0
is_Acl_webauth = 0
auth_proxy_vmr = 0x42FD680
overload_vmr_entries = 1
My question are:
- why we still seeing the dACL name EPM_xACSACLx-IP-PERMIT_ALL_TRAFFIC-4fe7f797
even after the port has been disconnected and the new PC is connected to guest Vlan that should not have the dACL?
- Is this dACL still activ on the port ?
- Is this a kind of BUG that the dACL name still appiered on the interface?
to be honest I can'nt either find the command " sh platform acl port-info interface X/X/X " on the Cisco
Platform Command Reference, Cisco IOS Release 15.2(7)Ex (Catalyst 1000 Switches).
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst1000/software/releases/15_2_7_e/command_reference/b_1527e_1000_cr/1527e_1000_cr_CLT_chapter.html
I don't have any Cisco 1000 in my test enviorment and I hope that someone can answare my questions.
Thanks a lot
