Cisco Bug: CSCvs79171 - DOC: ISE: SGACL created on ISE with hyphen "permit tcp dst eq 32767-65535" should NOT be allowed
Feb 26, 2020
- Cisco Identity Services Engine
Known Affected Releases
Symptom: SGACL created on ISE with hyphen "permit tcp dst eq 32767-65535" should NOT be allowed to be configured as Cisco Switches and Cisco Routers does not understand or apply the ACL Content if it contains a Hyphen. Tested example: "permit tcp dst eq 32767-65535" is not understood/honoured by ASR1K running version 16.9.2 / CAT3650 too. ASR1K downloads all SGACLs when you do a show cts rbacl; however, when you do a show cts role-based permissions, these SGACLs are missing which has a hypen in the ACL content. Conditions: SGACL configuration on ISE with version 2.3.x and ISE 2.4.x. ASR1K Router Cat3650 switcher SGACL are pushed from ISE to switches and routers. However, if you are trying to configure a role based acl on the switch wit a hyphen, it doesnt allow you to enter a hyphen. You can either enter 1 2 3 4 5 (without hyphen) or "range 1 5" as per below example: permit tcp dst eq 1 2 3 4 5 or permit tcp dst range 1 5 Both means the same.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases