Order of precedence of redirect ACL and DACL on 3650 switch platform

mparthan · ‎02-04-2018

Hello All,

As per documentation it is clear that the DACL and then the redirect ACL will be processed on all switches except that this order is reversed on a 3850.

However, I have read recently that on modern platforms ( 3850/3650), the order of ACL is reversed and first the redirect ACL is processed followed by the DACL.

I understand this might be more of a platform specific question, but is this documented anywhere? I have a customer who wants to understand if this is documented anywhere? Can you clarify that for sure only the 3650 and the 3850 follow a reverse order?

Thanks,

Malavika

hslai · ‎02-05-2018

Please cite the documentation location where you find the info. AFAIK the URL redirect ACL is proceeded before the DACL and the port ACL; e.g. CSCtl04221.

ACL implementations have platform dependence. 802.1x DACL, Per-User ACL, Filter-ID, and Device Tracking Behavior - Cisco provides some details.

roynak3011 · ‎01-22-2019

Hi,

Could you please tell me if the process order (DACL and redirect ACL) is indeed platform depended?

Or is this a bug, you mentioned bug id CSCtl04221.

I’m unable to open this bug ID due to insufficient permissions.

We are currently troubleshooting network connectivity when a client is in the unknown posture state. On the 2960x platform a client is only allowed to reach the network services as stated in the DACL. On the 3850 platform however, a client is not restricted and can reach al services.

However, if we remove the explicit deny IP any any on the redirect ACL than the client is also restricted. So, on the 2960x platform the DACL is applied first and on the 3850 platform the redirect ACL is applied first.

Thanks,

Roy