Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
0
Replies

SGACLs deploy in a reverse sequence on APs

Heaven_Bay
Level 1
Level 1

‎05-30-2023 06:18 AM - edited ‎05-30-2023 06:21 AM

Hi everyone,

Probably someone faced with the same issue: we use WLC9800CL controller, ISE3.2, APs 9120/9115 and C9000 switches (17.8.1). We are also deploying TrustSec.

ISE (3.2) <-- SXP --> WLC (17.8.1) -- push config to ap --> AP

I created a rule in ISE TrustSec Matrix. Global Default - Permit IP, last personal on cell "Default - Deny IP".

For example, we have SGT16 and SGT100. I want to block everything from SGT100 except ICMP and back traffic (allow replies from external requests).

PERMIT_ICMP SGACL:

 

permit icmp

 

BACK_PRINT SGACL: 

 

permit tcp src eq 443
permit tcp src eq 9100
permit tcp src range 721 731
permit tcp src eq 515
permit udp src eq 161

 

I open cell where SGT16 as source and SGT100 as destination, add rules in that sequence (uo to down):

PERMIT_ICMP, BACK_PRINT and the last DEFAULT rule Deny IP. Then deploy matrix.

If I connect through the switch everything works fine. However, if I connect with WiFi (through Cisco AP) all packets will be dropped.

I check role-based permissions on both devices and found that switch see them as:

IPv4 Role-based permissions from group 100:SGT_DEV_PRINT to group 16:SGT_DPT_IT:

 

PERMIT_ICMP-03
BACK_PRINT-07
Deny IP-00

 

and AP:

 

100 16 Deny_IP, BACK_PRINT, PERMIT_ICMP

 

like in reverse format. If I remove Deny_IP everything starts working again.

I tried to add DENY_ICMP to the last of list instead of Default Deny IP and got problems again. You can see the list of rules from AP:

 

100 16 DENY_ICMP, BACK_PRINT, PERMIT_ICMP

 

It's fun, if I add the last rule SGACL DENY_ANY (deny ip) the rule for SGT 100 16 would be disappeared totally.

What's wrong in with my ACL?

APs Log:

 

May 30 13:02:54 kernel: [*05/30/2023 13:02:54.3858] pattern 6: warning: relation '<= 65535' is always true (range 0-65535)
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl':
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] pattern 6: warning: relation '<= 65535' is always true (range 0-65535)
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl':
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] pattern 6: warning: relation '<= 65535' is always true (range 0-65535)

 

Thanks!

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents