Cisco Support Community
Community Member

ISE: dACL to switch


I am trying to figure out the syntax for dACL to a switch running 12.2(55)SE7.

In the switch we have used the following static ACL:

ip access-list extended TEST
 10 permit tcp range 1025 2000

It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a certain device connects the port.

I added it to ISE like this:

permit tcp range 1025 2000

But that doesn't work. However, when I change the source to any then it works:

permit tcp any range 1025 2000

By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates.

Why does it work with source any?




ISE: dACL to switch

Hello Philip

The dACL has only one direction: from the workstation to the switch. So the "source IP address" will always be the IP address of the endpoints connected to the port.

Because DHCP is used most of the times and to simplify the dACL, the "source IP address" will use a "special any" which will always be replaced by the IP address of the endpoint. If there are two different endpoints (like a cisco ip phone and a workstation) then you could use independent dACLs for each endpoint: the "any" of dACL for IP Phone will be replaced by the ip address of the ip phone, and the "any" of dACL for workstation will be replaced by the ip address of the workstation.

You can verify this behavior by using "show ip access-list int "

PLease rate if it helps

Community Member

ISE: dACL to switch


check if the IOS version and hardware platform (switch) you're using  is mentioned in TrustSec document (page 6):

The minimum IOS version to use with ISE should be 12.2(55),  but generally it's better to use 15.x.

Also, check if you have  configured everything that is recommended for switch devices in TrustSec  (page 59), including "ip device tracking".

There's also a very nice  document for troubleshooting:

"Cisco  TrustSec How-To Guide: Failed  Authentications and Authorizations"

If it  doesn't work, can you post the output of  the following commands after authorization:

show  authentication session interface

sh ip  access-lists interface

show running-config  interface

show access-list

sh  ip access-lists

CreatePlease to create content