Preview Tool

Cisco Bug: CSCvs79171 - DOC: ISE: SGACL created on ISE with hyphen "permit tcp dst eq 32767-65535" should NOT be allowed

Last Modified

Feb 26, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.3(0.907) 2.4(0.910)

Description (partial)

SGACL created on ISE with hyphen "permit tcp dst eq 32767-65535" should NOT be allowed to be configured as Cisco Switches and Cisco Routers does not understand or apply the ACL Content if it contains a Hyphen.
Tested example: "permit tcp dst eq 32767-65535" is not understood/honoured by ASR1K running version 16.9.2 / CAT3650 too.
ASR1K downloads all SGACLs when you do a show cts rbacl; however, when you do a show cts role-based permissions, these SGACLs are missing which has a hypen in the ACL content.

SGACL configuration on ISE with version 2.3.x and ISE 2.4.x.
ASR1K  Router
Cat3650 switcher
SGACL are pushed from ISE to switches and routers. 
However, if you are trying to configure a role based acl on the switch wit a hyphen, it doesnt allow you to enter a hyphen. 
You can either enter 1 2 3 4 5 (without hyphen) or "range 1 5" as per below example:

permit tcp dst eq 1 2 3 4 5


permit tcp dst range 1 5

Both means the same.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.