Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2802
Views
0
Helpful
3
Replies

DACL logging in ISE

cajones
Level 1
Level 1

‎07-05-2016 01:19 PM - edited ‎03-10-2019 11:54 PM

I was told you can not use the "log" option on a DACL so I'm wondering how you fine-tune your DACLs?  I don't want to put a deny ip any any and have no way of knowing what ports are being blocked.

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎07-05-2016 02:02 PM

Hi

There was a bug but it has been solved. Even some other keywords like ESTABLISHED are for example shown as error in ise when validating dACL but still working. 

Also, Cisco is using log keyword in their documentation :

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html

It's been a long time I've not done any deployments with log keyword but it should work as when migrating to dot1x we prefer testing the acl before to not get a lot of logs. 

Did you test it?

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

cajones
Level 1
Level 1
In response to Francesco Molino

‎07-05-2016 02:18 PM

Thank you for this information.  I'll read through the document and try that out.  Our test environment was setup but the DACLs had permit ip any any at the end so we could get it all running.  Now we want to fine-tune and lock it down before we go into production so I was hoping to use the log command when I change it to deny to see what other ports might be getting blocked, if any.  I'll definitely get back to you.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to cajones

‎07-05-2016 02:42 PM

Hi

ok no problem.

I'm doing dot1x since many years and I would recommend to test your acl before going in production even if you use log keywords. The success of a dot1x is based on user feeling. If you deploy acls with deny and it will not work (even if you correct your acl quickly), your project overall feeling will be very bad.

thanks

PS; Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents