Re: dACL Validation

sadashivpalde · ‎11-13-2018

Hello All,

We are having ISE2.4 Patch1 in deployment with Cisco WS-C2960+48TC-L {IOS v15.2(4)E6}.

We want to use dACL for Non-Compliant Endpoints with limited access.

We used dACL of 67 lines, the dACL gets applied on interface, but something goes wrong and everything is permitted for non-compliant endpoint.

Now, we reduced the same dACL in below format upto 41 lines, want to verify if this dACL is valid and will work??

permit tcp any host 10.1.x.x eq 53
permit udp any host 10.225.x.x eq 53
permit tcp any host 10.1.x.x eq 53
permit udp any host 10.225.x.x eq 53
permit udp any eq bootpc any eq bootps
permit udp any eq bootps any eq bootpc
permit ip any 10.227.254.0 0.0.0.255
permit ip any 10.225.254.0 0.0.0.255
permit tcp any any eq 52311
permit udp any any eq 52311
permit tcp any any eq 888
permit ip any host 10.225.x.x
permit tcp any any eq 445
permit ip any host 10.226.x.x
permit ip any host 10.226.x.x
permit ip any host 10.227.x.x
permit ip any host 10.227.x.x
permit tcp any any eq 2967
permit ip any host 10.226.x.x
permit ip any host 10.226.x.x
permit ip any host 10.225.x.x
permit ip any host 172.18.x.x
permit ip any host 10.226.x.x
permit ip any host 10.225.x.x
permit tcp any host 10.1.x.x eq 389 88 445 135 3268 636 3269 464
permit udp any host 10.1.x.x eq 389 88 445 123 138 137 464
permit tcp any host 10.225.x.x eq 389 88 445 135 3268 636 3269 464
permit udp any host 10.225.x.x eq 389 88 445 123 138 137 464
permit tcp any host 10.1.33.x range 49152 65535
permit tcp any host 10.225.x.x range 49152 65535
permit tcp any host 10.1.x.x range 1024 5000
permit tcp any host 10.225.x.x range 1024 5000
permit tcp any host 10.226.x.x eq 80
permit tcp any host 10.225.x.x eq 80
permit tcp any host 10.226.x.x eq 80 443
permit tcp any host 10.225.x.x eq 81 443
permit tcp any host 10.226.x.x eq 80
permit tcp any host 10.226.x.x eq 80
permit tcp any host 10.225.x.x eq 8014
permit tcp any host 10.225.x.x eq 8014
deny ip any any

Thanks in Advance!!

Regards,

Sadashiv

ognyan.totev · ‎11-13-2018

Hi , you can always check DaCL validation by ISE

sadashivpalde · ‎11-13-2018

Hi,

Thanks for the update.

I have validated it in ISE and it is showing an Valid dACL.

However, in ISE it only checks the Syntax and I am more concerned about multiple ports mentioned in same line for few of the IP's as mentioned in dACL.

Regards,

Sadashiv