Solved: Re: ISE DACL

Jason Weids · ‎10-23-2018

Can anyone save me from ACL hell.

I am trying to configure a dacl to be applied to devices in our test VLAN.

I want to allow traffic to 172.23.80.0/24 but deny everything else to 172.16.0.0/12.

My acl looks like this;

permit udp any eq bootpc any eq bootps
permit ip any host 8.8.8.8
permit ip any 172.23.80.0 0.0.0.255
deny ip any 172.16.0.0 0.15.255.255
permit ip any any

It should allow DHCP (which it does) anything to the internet (which it does) deny anything to our internal subnet (which iit does) but allow to the 172.23.80.0 subnet (which it does but only one way). Devices in this VLAN which have this dacl applied can ping 172.23.80.0 subnet but not vice versa.

Any ideas? I have tried adding the permit ICMP statements but it didn't work. I want the 172.23.80.0/24 subnet to be able to reach devices in the test vlan but don't want devices in the test vlan to be able to get to anything.

hslai · ‎10-25-2018

DACL is specific to Network Device platform but not to ISE, first of all.

It does not look like a good use case of DACL in your case, because you want to allow access to the devices with the DACL applied to. DACLs are mainly to restrict from the devices but not to the devices, because the "any" keyword in the source portion of the entries is effectively replaced by the IP address of such device.

You might want to try an entry, such as "permit ip 172.16.0.0 0.15.255.255 any" or use another type of ACL.

View solution in original post

Jason Weids · ‎11-08-2018

or it could have just been because the clients firewall was blocking it. Now working.

View solution in original post

hslai · ‎10-25-2018

DACL is specific to Network Device platform but not to ISE, first of all.

It does not look like a good use case of DACL in your case, because you want to allow access to the devices with the DACL applied to. DACLs are mainly to restrict from the devices but not to the devices, because the "any" keyword in the source portion of the entries is effectively replaced by the IP address of such device.

You might want to try an entry, such as "permit ip 172.16.0.0 0.15.255.255 any" or use another type of ACL.

Jason Weids · ‎10-30-2018

Thanks for your reply,

The problem with the "permit ip 172.16.0.0 0.15.255.255 any" is it is not valid because the keyword "any" must be the source. The issue, like you say is that the DACL is applied from the devices the the DACL applies. so my DACL should allow traffic to the 172.23.80.0/24 subnet & vice versa but deny traffic to the 172.16.0.0/16. Or is it because these subnets overlap I am having the issue?

permit udp any eq bootpc any eq bootps
permit ip any host 8.8.8.8
permit ip any 172.23.80.0 0.0.0.255
deny ip any 172.16.0.0 0.15.255.255
permit ip any any

hslai · ‎10-30-2018

You may still save the DACL despite the warning

1. While creating DACL, the keyword 'Any' must be the source in all ACE in DACL.
Once the DACL is pushed, the 'Any' in the source is replaced with the IP address of the client that is connecting to the switch

Note the 2nd line above is what I said earlier so your current DACL is not really allowing the traffic as you expect it be. If it still not working, please employ other means to limit the connections than a DACL.

Jason Weids · ‎10-30-2018

That is not really an answer is it.

The second line means it needs the "any" prefix which it will replace with the device IP that is connecting to the switch. It is not from the device that I am having an issue with. The DACL works from that perspective. It is traffic going to the device that does not seem to work.

To say find another way is a cop out, sorry.

hslai · ‎10-30-2018

"any" might be implicitly replaced so you might not see the replacement in action.

Since it's not working as you desired, it leaves you no choice but to seek a different solution.

Jason Weids · ‎11-08-2018

or it could have just been because the clients firewall was blocking it. Now working.