Guest

Preview Tool

Cisco Bug: CSCvs79171 - DOC: ISE: SGACL created on ISE with hyphen "permit tcp dst eq 32767-65535" should NOT be allowed

Last Modified

Feb 26, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.3(0.907) 2.4(0.910)

Description (partial)

Symptom:
SGACL created on ISE with hyphen "permit tcp dst eq 32767-65535" should NOT be allowed to be configured as Cisco Switches and Cisco Routers does not understand or apply the ACL Content if it contains a Hyphen.
Tested example: "permit tcp dst eq 32767-65535" is not understood/honoured by ASR1K running version 16.9.2 / CAT3650 too.
ASR1K downloads all SGACLs when you do a show cts rbacl; however, when you do a show cts role-based permissions, these SGACLs are missing which has a hypen in the ACL content.

Conditions:
SGACL configuration on ISE with version 2.3.x and ISE 2.4.x.
ASR1K  Router
Cat3650 switcher
SGACL are pushed from ISE to switches and routers. 
However, if you are trying to configure a role based acl on the switch wit a hyphen, it doesnt allow you to enter a hyphen. 
You can either enter 1 2 3 4 5 (without hyphen) or "range 1 5" as per below example:

permit tcp dst eq 1 2 3 4 5

or 

permit tcp dst range 1 5

Both means the same.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.