Re: igmp in ISE DACL syntax check fail

tachyon05 · ‎05-14-2024

I get a syntax check error when the ISE DACL has permit igmp any 224.0.0.0 15.255.255.255. The ACL is accepted and works on a switch if statically configured. However, ISE syntax check gives the below error. Any suggestions?

"permit igmp any 224.0.0.0 15.255.255.255", argument #2 "igmp" is not valid. Legal option(s):
icmp
ip
tcp
udp
1
4
6
17

Mark Elsen · ‎05-14-2024

- Similar to these https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&kw=argument%20not%20valid%20dacl&bt=custV&sb=anfr&prdNam=Cisco%20Identity%20Services%20Engine%20Software it seems lack of functionality : what ISE version are you on ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

MHM Cisco World · ‎05-14-2024

only change the igmp with IP
in end you permit IP but this IP is multicast you dont permit any L4 ports

MHM

tachyon05 · ‎05-14-2024

ISE 3.2 patch 4.
Are you saying to use permit IP any 224.0.0.0 15.255.255.255 instead? I take this is secure because the IGMP IP range is not routable on the public internet, and we don't care about which ports are used, and therefore permitting IP instead of IGMP to this network range allows IGMP traffic but doesn't give end points much of anything else, correct?

MHM Cisco World · ‎05-14-2024

Yoh are correct, let me double check

What is SW platform you have and IOS ver.

MHM

tachyon05 · ‎05-14-2024

Version 17.9.4a on C9606R