Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1848
Views
0
Helpful
5
Replies

ISE dACL issues 4510

Justin.Nichols
Level 1
Level 1

‎05-15-2015 08:27 AM - edited ‎03-12-2019 05:46 PM

I am having an issue with my permit all dACL for printers on a 4510 switch.

Everything looks to be getting applied correctly from ISE, but I'm still getting blocked by my default ACL after the dACL has been successfully downloaded.  This is working on 3560 with the same config.

cat4500e-universalk9.SPA.03.04.06.SG.151-2.SG6.bin

 Interface:  GigabitEthernet8/1
          MAC Address:  0014.3889.3278
           IP Address:  Unknown
            User-Name:  00-14-38-89-32-78
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  9
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A01D2FC000001DC08B4190C
      Acct Session ID:  0x000001E5
              Handle:  0x230001DD

 

 

May 15 03:02:29: %SEC-6-IPACCESSLOGP: list ACL_DEFAULT denied tcp 10.1.230.99(9100) -> 10.1.210.74(53091), 2 packets

 

 

 

Labels:
0 Helpful
5 Replies 5

Justin.Nichols
Level 1
Level 1

‎05-15-2015 08:29 AM

add:  VLAN assignment is working correctly.

 

interface config:

 

interface GigabitEthernet8/1
 switchport access vlan 8
 switchport mode access
 switchport voice vlan 3
 authentication event fail action next-method
 authentication event server dead action authorize vlan 1
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip dhcp snooping trust
end

 

0 Helpful

Antonio Torres
Cisco Employee
Cisco Employee
In response to Justin.Nichols

‎05-16-2015 08:33 PM

You can use debug epm to verify DACL installation errors. It seems like DACL is not installed on TCAM because we're not learning the endpoint IP.  As Jan said,  do a "show ip device tracking all"  and verify if we are learning the endpoint's IP on Gig8/1.

0 Helpful

rschwart
Level 1
Level 1
In response to Antonio Torres

‎06-22-2015 08:30 AM

This is somewhat off subject. I am looking for a solution to whitelisting printers. Currently we whitelist printers on our 802.1x wired network. I have whitelisted over 30 new devices in that last month, but have not taken any out of the list. Any sample acls, or dAcls would be appreciated. Being a university we have a variety of printers, HP, Brother, Canon, etc.

 

Thanks for any help.

 

0 Helpful

jan.nielsen
Level 7
Level 7

‎05-15-2015 01:06 PM

Can you see the ip adds of your printer as active in "show ip device tracking all", when it's not working ?

0 Helpful

Justin.Nichols
Level 1
Level 1

‎05-17-2015 10:41 AM

Fixed my issue.  DHCP snooping was getting blocked at port on server.  Trusted the port and everything started working.

0 Helpful
Customers Also Viewed These Support Documents