I am trying to figure out the syntax for dACL to a switch running 12.2(55)SE7.
In the switch we have used the following static ACL:
ip access-list extended TEST
10 permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a certain device connects the port.
I added it to ISE like this:
permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
But that doesn't work. However, when I change the source to any then it works:
permit tcp any 10.0.0.2 0.3.255.0 range 1025 2000
By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates.
The dACL has only one direction: from the workstation to the switch. So the "source IP address" will always be the IP address of the endpoints connected to the port.
Because DHCP is used most of the times and to simplify the dACL, the "source IP address" will use a "special any" which will always be replaced by the IP address of the endpoint. If there are two different endpoints (like a cisco ip phone and a workstation) then you could use independent dACLs for each endpoint: the "any" of dACL for IP Phone will be replaced by the ip address of the ip phone, and the "any" of dACL for workstation will be replaced by the ip address of the workstation.
You can verify this behavior by using "show ip access-list int "
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...