Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
0
Helpful
2
Replies

Order of precedence of redirect ACL and DACL on 3650 switch platform

mparthan
Cisco Employee
Cisco Employee

‎02-04-2018 11:59 PM

Hello All,

As per documentation it is clear that the DACL and then the redirect ACL will be processed on all switches except that this order is reversed on a 3850.

However, I have read recently that on modern platforms ( 3850/3650), the order of ACL is reversed and  first the redirect ACL is processed followed by the DACL.

I understand this might be more of a platform specific question, but is this documented anywhere? I have a customer who wants to understand if this is documented anywhere? Can you clarify that for sure only the 3650 and the 3850 follow a reverse order?

Thanks,

Malavika

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎02-05-2018 03:58 AM

Please cite the documentation location where you find the info. AFAIK the URL redirect ACL is proceeded before the DACL and the port ACL; e.g. CSCtl04221.

ACL implementations have platform dependence. 802.1x DACL, Per-User ACL, Filter-ID, and Device Tracking Behavior - Cisco provides some details.

0 Helpful

roynak3011
Level 1
Level 1

‎01-22-2019 01:30 AM

Hi,

 

Could you please tell me if the process order (DACL and redirect ACL) is indeed platform depended?

Or is this a bug, you mentioned bug id CSCtl04221.

I’m unable to open this bug ID due to insufficient permissions.

 

We are currently troubleshooting network connectivity when a client is in the unknown posture state. On the 2960x platform a client is only allowed to reach the network services as stated in the DACL. On the 3850 platform however, a client is not restricted and can reach al services.

However, if we remove the explicit deny IP any any on the redirect ACL than the client is also restricted.  So, on the 2960x platform the DACL is applied first and on the 3850 platform the redirect ACL is applied first.

 

Thanks,

 

Roy

0 Helpful
Customers Also Viewed These Support Documents