Probably someone faced with the same issue: we use WLC9800CL controller, ISE3.2, APs 9120/9115 and C9000 switches (17.8.1). We are also deploying TrustSec.
ISE (3.2) <-- SXP --> WLC (17.8.1) -- push config to ap --> AP
I created a rule in ISE TrustSec Matrix. Global Default - Permit IP, last personal on cell "Default - Deny IP".
For example, we have SGT16 and SGT100. I want to block everything from SGT100 except ICMP and back traffic (allow replies from external requests).
permit tcp src eq 443
permit tcp src eq 9100
permit tcp src range 721 731
permit tcp src eq 515
permit udp src eq 161
I open cell where SGT16 as source and SGT100 as destination, add rules in that sequence (uo to down):
PERMIT_ICMP, BACK_PRINT and the last DEFAULT rule Deny IP. Then deploy matrix.
If I connect through the switch everything works fine. However, if I connect with WiFi (through Cisco AP) all packets will be dropped.
I check role-based permissions on both devices and found that switch see them as:
IPv4 Role-based permissions from group 100:SGT_DEV_PRINT to group 16:SGT_DPT_IT:
100 16 Deny_IP, BACK_PRINT, PERMIT_ICMP
like in reverse format. If I remove Deny_IP everything starts working again.
I tried to add DENY_ICMP to the last of list instead of Default Deny IP and got problems again. You can see the list of rules from AP:
100 16 DENY_ICMP, BACK_PRINT, PERMIT_ICMP
It's fun, if I add the last rule SGACL DENY_ANY (deny ip) the rule for SGT 100 16 would be disappeared totally.
What's wrong in with my ACL?
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.3858] pattern 6: warning: relation '<= 65535' is always true (range 0-65535)
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl':
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] pattern 6: warning: relation '<= 65535' is always true (range 0-65535)
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl':
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] pattern 6: warning: relation '<= 65535' is always true (range 0-65535)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: