07-02-2013 01:15 AM - edited 03-10-2019 08:36 PM
Hi,
I am trying to figure out the syntax for dACL to a switch running 12.2(55)SE7.
In the switch we have used the following static ACL:
ip access-list extended TEST10 permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a certain device connects the port.
I added it to ISE like this:
permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
But that doesn't work. However, when I change the source to any then it works:
permit tcp any 10.0.0.2 0.3.255.0 range 1025 2000
By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates.
Why does it work with source any?
Regards,
Philip
07-02-2013 10:24 PM
Hello Philip
The dACL has only one direction: from the workstation to the switch. So the "source IP address" will always be the IP address of the endpoints connected to the port.
Because DHCP is used most of the times and to simplify the dACL, the "source IP address" will use a "special any" which will always be replaced by the IP address of the endpoint. If there are two different endpoints (like a cisco ip phone and a workstation) then you could use independent dACLs for each endpoint: the "any" of dACL for IP Phone will be replaced by the ip address of the ip phone, and the "any" of dACL for workstation will be replaced by the ip address of the workstation.
You can verify this behavior by using "show ip access-list int
PLease rate if it helps
07-02-2013 11:25 PM
Hello,
check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
The minimum IOS version to use with ISE should be 12.2(55), but generally it's better to use 15.x.
Also, check if you have configured everything that is recommended for switch devices in TrustSec (page 59), including "ip device tracking".
There's also a very nice document for troubleshooting:
"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"
If it doesn't work, can you post the output of the following commands after authorization:
show authentication session interface
sh ip access-lists interface
show running-config interface
show access-list
sh ip access-lists
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: