cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1438
Views
0
Helpful
2
Replies
Ruelb2214
Beginner

Downloadable ACL not working ISE 2.1

Hi guys,

 

Any one experience dacl not working in version ISE 2.1?

 

we want to block ftp/21 port in one of our printer subnet, so we use dacl to implement it! After we bounce the port and device go through MAB we still able to telnet to printer subnet although it says deny in ACL. Below the config for your reference.

 

interface GigabitEthernet1/21
 description PRINTER
 switchport access vlan 104
 switchport mode access
 ip access-group ACL-DEFAULT in
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 104
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 2
 storm-control broadcast level 1.00 0.50
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip dhcp snooping limit rate 30
end


#sh ip access-lists int g1/21
     deny tcp host 10.67.38.18 any eq ftp
     deny udp host 10.67.38.18 any eq 21
     deny tcp host 10.67.38.18 any eq 3389
     deny udp host 10.67.38.18 any eq 3389
     permit ip host 10.67.38.18 10.0.0.0 0.255.255.255
     permit ip host 10.67.38.18 10.240.48.0 0.0.0.255
     deny ip host 10.67.38.18 any

#sho authentication sessions interface g1/21
            Interface:  GigabitEthernet1/21
          MAC Address:  001b.78f2.13e4
           IP Address:  10.67.38.18
            User-Name:  00-1B-78-F2-13-E4
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-PRINTER_ACL-5cbfd066
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A4320150003AD782BD7E3F2
      Acct Session ID:  0x00043A5F
               Handle:  0x060004F0

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
howon
Cisco Employee

dACL is always applied inbound. Please try other ACL type such as per-user ACL method for outbound access control:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html#anc14

 

View solution in original post

2 REPLIES 2
howon
Cisco Employee

dACL is always applied inbound. Please try other ACL type such as per-user ACL method for outbound access control:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html#anc14

 

OK..will try it.

 

Will update this thread later

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube