Hi everyone,
Probably someone faced with the same issue: we use WLC9800CL controller, ISE3.2, APs 9120/9115 and C9000 switches (17.8.1). We are also deploying TrustSec.
ISE (3.2) <-- SXP --> WLC (17.8.1) -- push config to ap --> AP
I created a rule in ISE TrustSec Matrix. Global Default - Permit IP, last personal on cell "Default - Deny IP".
For example, we have SGT16 and SGT100. I want to block everything from SGT100 except ICMP and back traffic (allow replies from external requests).
PERMIT_ICMP SGACL:
permit icmp
BACK_PRINT SGACL:
permit tcp src eq 443
permit tcp src eq 9100
permit tcp src range 721 731
permit tcp src eq 515
permit udp src eq 161
I open cell where SGT16 as source and SGT100 as destination, add rules in that sequence (uo to down):
PERMIT_ICMP, BACK_PRINT and the last DEFAULT rule Deny IP. Then deploy matrix.
If I connect through the switch everything works fine. However, if I connect with WiFi (through Cisco AP) all packets will be dropped.
I check role-based permissions on both devices and found that switch see them as:
IPv4 Role-based permissions from group 100:SGT_DEV_PRINT to group 16:SGT_DPT_IT:
PERMIT_ICMP-03
BACK_PRINT-07
Deny IP-00
and AP:
100 16 Deny_IP, BACK_PRINT, PERMIT_ICMP
like in reverse format. If I remove Deny_IP everything starts working again.
I tried to add DENY_ICMP to the last of list instead of Default Deny IP and got problems again. You can see the list of rules from AP:
100 16 DENY_ICMP, BACK_PRINT, PERMIT_ICMP
It's fun, if I add the last rule SGACL DENY_ANY (deny ip) the rule for SGT 100 16 would be disappeared totally.
What's wrong in with my ACL?
APs Log:
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.3858] pattern 6: warning: relation '<= 65535' is always true (range 0-65535)
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl':
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4188] pattern 6: warning: relation '<= 65535' is always true (range 0-65535)
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] In write handler 'rbacl_rules' for 'sg_acl_table :: RoleBasedAcl':
May 30 13:02:54 kernel: [*05/30/2023 13:02:54.4258] pattern 6: warning: relation '<= 65535' is always true (range 0-65535)
Thanks!