Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
0
Helpful
2
Replies

ISE DACL is applied to Switch but not able to allow the traffic

Go to solution
Ravi D
Level 1
Level 1

‎10-05-2023 08:58 AM

Hello,

We have our Cisco ISE on v3.1 P7. DACL is configured for a Vlan to allow the RDP traffic on that Vlan. 

DACL Syntax on ISE

permit icmp any any
permit tcp any 10.X.XX.0 0.0.0.255 eq 3389
permit tcp any 10.X.XX.0 0.0.0.255 eq 135
permit tcp any 10.X.XX.0 0.0.0.255 eq 445
deny ip any 10.X.XX.0 0.0.0.255
permit ip any any

Config on the C9407R Switch with firmware v17.3.5

interface GigabitEthernet2/0/29
switchport mode access
switchport voice vlan 440
switchport port-security maximum 2
device-tracking
no cdp enable
authentication event no-response action authorize vlan 459
authentication host-mode multi-domain
authentication port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-reauth-req 1
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
end

Device tracking shows the IP Address of the PC connected. 

Tried to replicate the issue on a Test Switch C2960-C and tried to connect a Laptop and RDP to PC on different switch C9407R. 

Tried all the possbile ways by playing around with the DACL syntax and also switch configs but could not find the issue.

DACL is getting applied on the switch interface but when tried to RDP from the Laptop to PC on same Vlan RDP was not working.

Thanks

Ravi

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ravi D
Level 1
Level 1
In response to hslai

‎10-10-2023 12:09 PM

@hslai 

The issue is Resolved.

One piece of DACL is missing which caused the Issue.

DACL syntax having the issue

permit icmp any any
permit tcp any 10.4.XX.0 0.0.0.255 eq 3389
permit tcp any 10.4.XX.0 0.0.0.255 eq 135
permit tcp any 10.4.XX.0 0.0.0.255 eq 445
deny ip any 10.4.XX.0 0.0.0.255
permit ip any any

Missing Config on the DACL

permit tcp any 10.4.XX.0 0.0.0.255 established

 

Once the missing Piece is added to the DACL issue was Resolved.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-06-2023 04:33 PM

@Ravi D 

Device tracking shows the IP Address of the PC connected.

What about the output of "show auth session mac <> detail"?

On switch platforms, you mentioned the problem switch is a C9407R. Then, you tried replicate the issue with a C2960-C. Were you seeing exactly the same issue on the other switch?

On DACL syntax, did icmp work? Did it work with the simplest DACL to permit ip any any? Did it work without any DACL?

0 Helpful

Go to solution
Ravi D
Level 1
Level 1
In response to hslai

‎10-10-2023 12:09 PM

@hslai 

The issue is Resolved.

One piece of DACL is missing which caused the Issue.

DACL syntax having the issue

permit icmp any any
permit tcp any 10.4.XX.0 0.0.0.255 eq 3389
permit tcp any 10.4.XX.0 0.0.0.255 eq 135
permit tcp any 10.4.XX.0 0.0.0.255 eq 445
deny ip any 10.4.XX.0 0.0.0.255
permit ip any any

Missing Config on the DACL

permit tcp any 10.4.XX.0 0.0.0.255 established

 

Once the missing Piece is added to the DACL issue was Resolved.

0 Helpful
Customers Also Viewed These Support Documents