Solved: Re: It's not only the problem,

Phillip Macey · ‎01-01-2015

Hi,

Does anyone know if/when ISE will be able to push out IPv6 dynamic acl's? I have not managed to find any information on this other than an old post here: https://supportforums.cisco.com/discussion/11795676/ise-support-ipv6-dynamic-acls

Thanks,

Phill Macey

Venkatesh Attuluri · ‎01-06-2015

ISE 1.3 do not support IPV6 as of now but its in road map

View solution in original post

Marvin Rhoads · ‎01-06-2015

It's not supported as of the current ISE 1.3.

I've heard it is planned for a future release but there's no announced or committed date as of yet.

If your're working with a partner or Cisco account manager, be sure to officially request it if it's important to you. Customer requests help build the business case for prioritizing the features.

View solution in original post

Venkatesh Attuluri · ‎01-06-2015

ISE 1.3 do not support IPV6 as of now but its in road map

Marvin Rhoads · ‎01-06-2015

It's not supported as of the current ISE 1.3.

I've heard it is planned for a future release but there's no announced or committed date as of yet.

If your're working with a partner or Cisco account manager, be sure to officially request it if it's important to you. Customer requests help build the business case for prioritizing the features.

Phillip Macey · ‎11-29-2015

It would seem that ISE 2.0 has added support for IPv6 dACL's. I have not yet tried it out.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html#pgfId-592126

Johannes Luther · ‎03-24-2016

It's not only the problem, whether the ISE supports pushing of IPv6 dACLs or not. It's already possible - even with ISE version 1.4 using Cisco AVPs:

cisco-av-pair = ipv6:inacl#1=<IPv6-ACL-LINE-1>
cisco-av-pair = ipv6:inacl#2=<IPv6-ACL-LINE-2>
cisco-av-pair = ipv6:inacl#n=<IPv6-ACL-LINE-n>

So the ISE can do this very easily within autorization profiles.

The problem is mainly the switch hardware platforms supporting IPv6 dACLs.

From what I know IPv6 dACLs are currently only supported on the new IOS-XE platforms (3650, 3850 maybe 4500-S8). For all the still current platforms this is not supported (like Cat2960S, 2960X, Cat6k). Hopefully Cisco will introduce support for these platforms as well. Honestly I'm not seeing a lot of people which actually use the 3650 and 3850 in the access layer (yet).

Maybe someone from Cisco sees this and state if this IPv6 dACL will be supported on these platforms as well.

Phillip Macey · ‎03-30-2016

I did not know you could do that with the cisco-av-pair. Thanks for mentioning it!

andrew.butterworth · ‎03-08-2021

Is the IPv6 dACL issue still there on the 2960X switches?

I was doing some testing and thought configuring with the IBNS 2.0 style configuration rather than the legacy style might fix this, however it doesn't.

If an AV-Pair is presented with 'ipv6:inacl#xxxxxxx' then authentication just fails and you get a dot1x override message in the log

Mar  8 20:54:59.752: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (40b0.340b.bb45) on Interface Gi1/0/1 AuditSessionID C0A8F73300000025029F22A6

If you remove the ipv6 acl av-pair the device authenticates OK. ipv4 acl av-pair works fine.

ISE: support for IPv6 DACL's