03-24-2016 04:13 AM - edited 03-10-2019 11:36 PM
Hi board,
maybe this topic is correct in the switching section of the board as well, but I'll try it here.
Let's assume I'm using open authentication on a switch port along with a pre authentication ACL. Let's call it PORT-PRE-AUTH-ACL
The pre-authentication ACL contains the usual stuff like PXE, DHCP, DNS and so on (yes, we want to do profiling :) )
Now the client behind the port is sucessfully authorized and a dACL is applied to the session. The IP device tracking magic jumps in and adds the IP address of the actual connected client in the source portion of the ACL.
Now the question: What happens with the content of the PORT-PRE-AUTH-ACL on the switch port?
I think the answer to this question is: It depends - right?
From my point of view this is heavily platform and SW version dependent. Do you agree? Also I think the documentation is very poor in this particular case.
For example on a 2960-X and 2960-S with IBNS2.0 config style running 15.2 code, the behavior is that the
dACL content is put obove the static port ACL. But the static port ACL stays in place.
Why am I asking this question?
Maybe it's a good idea if we assemble a list from "field experience". I start with the two devices from above:
Platform | Version | Behavior | Remarks |
Cat. 2960X | 15.2(4) | concat: dACL then port ACL | IBNS2 |
Cat. 2960S | 15.2(2) | concat: dACL then port ACL | IBNS2 |
Cat. 4500 Sup8 | 3.7.0E | concat: dACL then port ACL | Updated 2016/03/31 by NicolasDemonty (Thank you) |
Cat. 6800 | 15.2(1)SY2 | concat: dACL then port ACL | Updated 2016/08/26 by jcockburn (Thank you) |
Anybody has Cat6k (ok - it's hard with IBNS2.0 on this platform), Cat4k, Cat3k ?
Solved! Go to Solution.
08-29-2016 01:23 AM
Hi JC,
a dedicated interface is used. I guess it's less complex and not consider any access switches. Drawback of course is, that one interface is "lost" :)
08-29-2016 01:28 AM
Hi Johannes,
Thanks, I agree and one interface on the 6880's are quite a loss/expensive...
We do not have that but I have seen instability with not having that. We make use of the FEX's for dual-active detection, but that is not such a great idea, and now we do not have any open/spare interfaces for that purpose.
Ciao
JC
10-21-2016 05:16 PM
Would you mind sharing some of the gotcha's? We're running 15.1(2)SY6 on a 6880-X-LE.
The machine will get an auth success, then the user will get an auth success. We've verified that the switch is downloading the correct dACL from ISE and applying it to the port.
show authentication sessions interface <interface-id>
show ip access-list interface <interface-id>
Most of the resources are available but filing sharing is working sporadically. If the user logs out and then logs back in, the same dACL is applied to the port and all of the shares are visible to the user, which is not expected behavior.
The issue version appears to be meet the minimum requirements for ISE 2.1, but it is not the recommended code for the 6880's listed in the ISE 2.1 compatibility matrix guide. Did you experience this issue? Are there any reasons you deployed the ISE recommended version of the switch recommended version?
Thank you.
Joe
02-06-2017 08:07 AM
Hi JC,
Hope your well.
Please need your help on below issue.
Everything working for two months than after more users added in that switch we got weird issue.
ISE is making problem on random ports using 6800 using Version 15.2(1)SY3.
we got almost 960 ports up in which 700 of them are using phones and pcs means dot1x needs to work for (700 x 2)+ 200 = 1600 DACL.
Kindly need your words on this
thanks
MH
02-06-2017 09:18 AM
Sorry ... this question is kinda out-of-topic for this thread. Would you mind opening an own thread for this?
(Btw. more information would be good for the new topic. The provided information is not enough ["weird issue"]). But by the number of dACLs ... are you sure you're not running into TCAM issues?
But again - please open a new thread for this!
02-06-2017 09:33 AM
Thanks for your quick response !
I have opened a new thread kindly let me know about your thoughts!
thanks
MH
02-06-2017 09:36 AM
02-06-2020 02:49 PM
02-06-2020 02:51 PM
RACL?
Is it Router or Redirection ACL?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide