Downloadable ACLs (dACLs)

Synopsis

netapi ise get-dacls
netapi ise get-dacl <NAME>
netapi ise create-dacl <NAME> [OPTIONS]
netapi ise delete-dacl <NAME> [OPTIONS]
netapi ise create-dacls-from-file <FILE>

Description

Manage ISE Downloadable ACLs (dACLs). These are pushed to network devices during authorization.

On switches, dACLs appear as xACSACLx-IP-<NAME>-<hash>. The hash is generated by ISE and changes when ACL content changes.

Commands

get-dacls

List all downloadable ACLs.

netapi ise get-dacls
netapi ise get-dacls --size 50 --page 2

Options

--size, -s INTEGER    Results per page (default: 100)
--page, -p INTEGER    Page number (default: 1)

get-dacl

Get specific dACL rules.

netapi ise get-dacl DACL_SECURE_FULL
netapi ise get-dacl DACL_IOT_RESTRICTED

create-dacl

Create a new downloadable ACL.

# Simple inline ACL
netapi ise create-dacl DACL_PERMIT_ALL --acl "permit ip any any"

# Multi-line ACL (semicolon-separated)
netapi ise create-dacl DACL_IOT --acl "permit udp any any eq 53; deny ip any 10.0.0.0 0.255.255.255; permit ip any any"

# From file
netapi ise create-dacl DACL_SECURE --file /path/to/dacl.txt

# With description
netapi ise create-dacl DACL_GUEST --acl "deny ip any 10.0.0.0 0.255.255.255; permit ip any any" --descr "Guest internet only"

# IPv6 DACL
netapi ise create-dacl DACL_IPV6_PERMIT --acl "permit ipv6 any any" --type IPV6

Option Description

Option	Description
`--acl`, `-a`	ACL content (single line or semicolon-separated)
`--file`, `-f`	File containing ACL content (one rule per line)
`--descr`, `-d`	Description
`--type`, `-t`	IP type: `IPV4`, `IPV6`, `IP_AGNOSTIC` (default: IPV4)

--acl, -a

ACL content (single line or semicolon-separated)

--file, -f

File containing ACL content (one rule per line)

--descr, -d

Description

--type, -t

IP type: IPV4, IPV6, IP_AGNOSTIC (default: IPV4)

delete-dacl

Delete a downloadable ACL.

# With confirmation prompt
netapi ise delete-dacl DACL_TEST

# Skip confirmation
netapi ise delete-dacl DACL_TEST --force

create-dacls-from-file

Create multiple DACLs from a YAML file.

netapi ise create-dacls-from-file dacls.yaml
netapi ise create-dacls-from-file dacls.yaml --skip-existing

YAML format:

dacls:
  DACL_ADMIN_FULL:
    description: "Full admin access"
    acl: |
      permit ip any any

  DACL_IOT_RESTRICTED:
    description: "IoT devices - internet only"
    acl: |
      permit udp any any eq 53
      deny ip any 10.0.0.0 0.255.255.255
      permit ip any any

  DACL_GUEST_INTERNET:
    description: "Guest - no internal access"
    acl: |
      deny ip any 10.0.0.0 0.255.255.255
      deny ip any 172.16.0.0 0.15.255.255
      deny ip any 192.168.0.0 0.0.255.255
      permit ip any any

dACL Mapping Reference

When viewing ACLs on switch vs ISE:

Switch Shows ISE dACL Name

Switch Shows	ISE dACL Name
`xACSACLx-IP-TEST_Medical_Temp_Monitor-697290bb`	`TEST_Medical_Temp_Monitor`
`xACSACLx-IP-PERMIT_ALL-57f6b4de`	`PERMIT_ALL`
`xACSACLx-IP-DACL_IOT_RESTRICTED-8a2c1b3f`	`DACL_IOT_RESTRICTED`

xACSACLx-IP-TEST_Medical_Temp_Monitor-697290bb

TEST_Medical_Temp_Monitor

xACSACLx-IP-PERMIT_ALL-57f6b4de

PERMIT_ALL

xACSACLx-IP-DACL_IOT_RESTRICTED-8a2c1b3f

DACL_IOT_RESTRICTED

Common dACL Patterns

Permit All

permit ip any any

Deny Management, Permit All Else

deny ip any 10.50.0.0 0.0.0.255
permit ip any any

IoT Restricted (Allow specific subnets only)

permit ip any 10.238.0.0 0.0.255.255
permit udp any any eq 53
permit udp any any eq 123
deny ip any any

Guest Internet Only

deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any

Troubleshooting

# Get dACL from ISE
netapi ise get-dacl TEST_Medical_Temp_Monitor

# Compare with what's on switch
# SSH to switch and run:
# show ip access-list xACSACLx-IP-TEST_Medical_Temp_Monitor-697290bb