Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
235
Views
0
Helpful
2
Replies

ISE dacl differnet than what switch is applying

Go to solution
Chris S
Level 1
Level 1

‎01-04-2024 05:24 AM

Deploying ISE and trying to finalize some restrictions.  It seems the DACL defined in ISE is not what the switch is applying to the port. Any ideas why the switch is changing the deny statements? 

  • ISE 3.1 (patch
  • C1000-8FP-E-2G-L

Here is what we have defined in ISE:

ise_dacl.jpg

Here is what the switch is applying:

sw_dacl.jpg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-04-2024 05:32 AM - edited ‎01-04-2024 06:31 AM

@Chris S use the wildcard not the subnet mask when configuring the DACL.

RobIngram_0-1704378645343.png

Also you can use Check DACL Syntax to confirm the syntax is correct.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎01-04-2024 05:32 AM - edited ‎01-04-2024 06:31 AM

@Chris S use the wildcard not the subnet mask when configuring the DACL.

RobIngram_0-1704378645343.png

Also you can use Check DACL Syntax to confirm the syntax is correct.

 

0 Helpful

Go to solution
Chris S
Level 1
Level 1
In response to Rob Ingram

‎01-04-2024 09:20 AM

That was it - the syntax was valid against the ISE checker with a standard subnet. 

0 Helpful
Customers Also Viewed These Support Documents