Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
2
Helpful
3
Replies

IP Device Tracking and dACL

REJR77
Level 1
Level 1

‎07-16-2024 05:52 AM

Dear community,

I plan to implement dACL on the network with ISE.

I went through a lot of posts, and documentation and I saw that "ip device tracking" can be used to replace the "any" statement in the dACL with the IP address of the endpoint which looks great.

But depending on the switch platform, I think it is not always required to have ip device tracking enabled.

For exampe, on Catalyst C9300 with IOS-XE 17.12, I am able to enforce dACL without IP device Tracking

And on older model like 3850, I can see that the "any" part of the ACE is replaced with the IP of the endpoint.

As well on C9300, the "show ip access-list interface x/x" does not return anything, is it the expected behaviour on this model / version)

1- Is IP device tracking mandatory to implement dACL? (or is it plateform / version dependant)

2- Is it the expected behaviour that "show ip access-list interface x/x" does not show up the ACL on the port on Cat9300 IOS-XE 17.12?

3- Is it correct that dACL can not be logged for troubleshooting purpose (I can add the log statement in ISE, it is downloaded by the switch, but nothing logged) How do you troubleshoot dACL in that case?

Thank you

3 Replies 3

MHM Cisco World
VIP
VIP

‎07-16-2024 07:23 AM

Ios xe with device tracking 

From cisco doc.

IP Device Tracking for Cisco IOS-XE®

Again, the behavior on Cisco IOS-XE 3.3 has changed when compared to Cisco IOS Version 15.x.

The hidden command from Version 12.2 is obsolete, but now this error is returned:

3850-1#  no ip device tracking int g1/0/48
% Command accepted but obsolete, unreleased or unsupported; see documentation.

In Cisco IOS-XE, device tracking is activated for all the interfaces (even the ones which do not have 802.1x configured):

MHM

0 Helpful

MHM Cisco World
VIP
VIP

‎07-16-2024 07:25 AM

How you check dACL

You can try 

Show auth interface details 

The name of dACL appear 

Then use 

Show ip access-list 

Check name you get in output 

MHM

0 Helpful

ccieexpert
Spotlight
Spotlight

‎07-17-2024 05:09 PM

there is no logging for DACLs on most hardware switches platforms as ACL processing is done in hardware, and logging would be a expensive operation. You can see hits in the acl.. see below

c9300-Sw#show access-session interface Gi 1/0/1 details 
            Interface:  GigabitEthernet1/0/1
               IIF-ID:  0x1639E95C
          MAC Address:  0064.40b5.794e
         IPv6 Address:  Unknown
         IPv4 Address:  172.20.101.3
            User-Name:  00-64-40-B5-79-4E
               Status:  Authorized
               Domain:  VOICE
       Oper host mode:  multi-auth
     Oper control dir:  in
      Session timeout:  N/A
    Common Session ID:  65FE14AC0000003532D7D09C
      Acct Session ID:  0x0000002b
               Handle:  0x6800002b
       Current Policy:  POLICY_Gi1/0/1

Local Policies:
         Idle timeout:  65536 sec

Server Policies:
              ACS ACL: xACSACLx-IP-VoiceACL-5aee9aa7


c9300-Sw#show ip access-lists | section xACSACLx-IP-
Extended IP access list xACSACLx-IP-EmployeeAccessACL-5aee9a60
    1 deny ip any 172.20.199.0 0.0.0.255
    2 permit ip any any
Extended IP access list xACSACLx-IP-VoiceACL-5aee9aa7
    1 permit ip any 172.20.254.0 0.0.0.255
    2 permit ip any 172.20.100.0 0.0.0.255 (15 matches)
    3 permit ip any 172.20.101.0 0.0.0.255
    4 deny ip any any

 

CCIEx2

**Rate helpful answers**

Customers Also Viewed These Support Documents