6880 ISE ISSUE 15.2 SY3

Johannes Luther · ‎03-24-2016

Hi board,

maybe this topic is correct in the switching section of the board as well, but I'll try it here.

Let's assume I'm using open authentication on a switch port along with a pre authentication ACL. Let's call it PORT-PRE-AUTH-ACL

The pre-authentication ACL contains the usual stuff like PXE, DHCP, DNS and so on (yes, we want to do profiling :) )

Now the client behind the port is sucessfully authorized and a dACL is applied to the session. The IP device tracking magic jumps in and adds the IP address of the actual connected client in the source portion of the ACL.

Now the question: What happens with the content of the PORT-PRE-AUTH-ACL on the switch port?

Is the pre-authentication ACL content gone for the session?
Are the ACLs concatenated? The static pre-auth ACL comes first and the dACL content comes after that?
Are the ACLs concatenated? The dACL content comes first and the static pre-auth ACL comes after that?

I think the answer to this question is: It depends - right?

From my point of view this is heavily platform and SW version dependent. Do you agree? Also I think the documentation is very poor in this particular case.

For example on a 2960-X and 2960-S with IBNS2.0 config style running 15.2 code, the behavior is that the

dACL content is put obove the static port ACL. But the static port ACL stays in place.

Why am I asking this question?

This is relevant when placing explicit deny statements somewhere in the port or dACL
TCAM resource saving on the switch. For example if I permit DHCP in the pre-auth-ACL, I don't have to allow DHCP in the dACL if the ACLs are concatenated. Therefore I have less ACE entries --> saving of TCAM resources on the switch.

Maybe it's a good idea if we assemble a list from "field experience". I start with the two devices from above:

Platform	Version	Behavior	Remarks
Cat. 2960X	15.2(4)	concat: dACL then port ACL	IBNS2
Cat. 2960S	15.2(2)	concat: dACL then port ACL	IBNS2
Cat. 4500 Sup8	3.7.0E	concat: dACL then port ACL	Updated 2016/03/31 by NicolasDemonty (Thank you)
Cat. 6800	15.2(1)SY2	concat: dACL then port ACL	Updated 2016/08/26 by jcockburn (Thank you)

Anybody has Cat6k (ok - it's hard with IBNS2.0 on this platform), Cat4k, Cat3k ?

Johannes Luther · ‎08-29-2016

Hi JC,

a dedicated interface is used. I guess it's less complex and not consider any access switches. Drawback of course is, that one interface is "lost" :)

jcockburn · ‎08-29-2016

Hi Johannes,

Thanks, I agree and one interface on the 6880's are quite a loss/expensive...

We do not have that but I have seen instability with not having that. We make use of the FEX's for dual-active detection, but that is not such a great idea, and now we do not have any open/spare interfaces for that purpose.

Ciao

JC

joeshoj · ‎10-21-2016

Would you mind sharing some of the gotcha's? We're running 15.1(2)SY6 on a 6880-X-LE.

The machine will get an auth success, then the user will get an auth success. We've verified that the switch is downloading the correct dACL from ISE and applying it to the port.

show authentication sessions interface <interface-id>

show ip access-list interface <interface-id>

Most of the resources are available but filing sharing is working sporadically. If the user logs out and then logs back in, the same dACL is applied to the port and all of the shares are visible to the user, which is not expected behavior.

The issue version appears to be meet the minimum requirements for ISE 2.1, but it is not the recommended code for the 6880's listed in the ISE 2.1 compatibility matrix guide. Did you experience this issue? Are there any reasons you deployed the ISE recommended version of the switch recommended version?

Thank you.

Joe

misbah.hassan1 · ‎02-06-2017

Hi JC,

Hope your well.

Please need your help on below issue.

Everything working for two months than after more users added in that switch we got weird issue.

ISE is making problem on random ports using 6800 using Version 15.2(1)SY3.

we got almost 960 ports up in which 700 of them are using phones and pcs means dot1x needs to work for (700 x 2)+ 200 = 1600 DACL.

Kindly need your words on this

thanks

MH

Johannes Luther · ‎02-06-2017

Sorry ... this question is kinda out-of-topic for this thread. Would you mind opening an own thread for this?

(Btw. more information would be good for the new topic. The provided information is not enough ["weird issue"]). But by the number of dACLs ... are you sure you're not running into TCAM issues?

But again - please open a new thread for this!

misbah.hassan1 · ‎02-06-2017

Thanks for your quick response !

I have opened a new thread kindly let me know about your thoughts!

thanks

MH

misbah.hassan1 · ‎02-06-2017

6880 ISE ISSUE 15.2 SY3

Andrey Vorobev · ‎02-06-2020

RACL?
Is it Router or Redirection ACL?

Andrey Vorobev · ‎02-06-2020

RACL?
Is it Router or Redirection ACL?

dACL on switches in open mode with pre-auth ACL

6880 ISE ISSUE 15.2 SY3