Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE 1.2 Checking DACL Syntax

Greetings,

When we first set up all of the DACLs for our ISE deployment, it was explained to us that the "!" was a replacement for the "remark" entry on the access list, but when I utilize the "Check DACL Syntax", ISE tells me that my statements are improper:

"

Line 13 - In "! permit tcp any any eq 80", argument #1 "!" is not valid. Legal option(s):

  permit

  deny

  remark

  no

"

It doesn't appear that my DACLs are giving any errors when is use, so is this just an aesthetic error or do I need to go through and change all fo my DACLs to reflect this?

Thank You for any input!


Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hello David,I guess there are

Hello David,

I guess there are many more keywords and format that "check DACL syntax" doesn't approve but they do work. A customer wanted to use a keyword ESTABLISHED so I created an ACE and clicked save.

"permit tcp any any established"

It gives me a pop-up stating "syntax check of the DACL content has failed, do you want to submit anyway.

I clicked yes and moved ahead. I then check the dacl syntax and it says

Line 1 - In "permit tcp any any established", argument #5 "established" is not valid.

 

Finally, I  tested this on dot1x configured switch and the output of 'show ip access-list interface <interface-id>' shows it in downloaded access-list. Even though the syntax was not approved by the ISE we still manage to download it to the switch.

 

In your case if you are using remarks with dot1x and mab, please keep a watch on this defect

CSCuj35704    Remark in DACL causing dot1x and MAB authorization failure

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~BR Jatin Katyal **Do rate helpful posts**
4 REPLIES

It is an incorrect format for

It is an incorrect format for ISE , please refer correct format from

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_authz_polprfls.html#wp1231465

New Member

Salodh,  While I appreciate

Salodh, 

 

While I appreciate that you took the time to reply to me, your response does not actually address my question, and the link you provided does not discuss the "Remark" command at all.   

 

Please feel free to re-read my question, and provide additional assistance if you are able.

 

 

Thank You.

 

 

 

Cisco Employee

While IOS allows the use of

While IOS allows the use of the ! character instead of "remark", ISE does not, and as a result you get the warning message you're seeing.

Javier Henderson

Cisco Systems

Cisco Employee

Hello David,I guess there are

Hello David,

I guess there are many more keywords and format that "check DACL syntax" doesn't approve but they do work. A customer wanted to use a keyword ESTABLISHED so I created an ACE and clicked save.

"permit tcp any any established"

It gives me a pop-up stating "syntax check of the DACL content has failed, do you want to submit anyway.

I clicked yes and moved ahead. I then check the dacl syntax and it says

Line 1 - In "permit tcp any any established", argument #5 "established" is not valid.

 

Finally, I  tested this on dot1x configured switch and the output of 'show ip access-list interface <interface-id>' shows it in downloaded access-list. Even though the syntax was not approved by the ISE we still manage to download it to the switch.

 

In your case if you are using remarks with dot1x and mab, please keep a watch on this defect

CSCuj35704    Remark in DACL causing dot1x and MAB authorization failure

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~BR Jatin Katyal **Do rate helpful posts**
1186
Views
6
Helpful
4
Replies
CreatePlease login to create content