https://community.cisco.com/t5/network-access-control/enforce-permit-acl-rules-for-endpoints/m-p/4607990#M574693 <P>ISE Profiling is the best option for your use case. Please refer this doc for more information&nbsp;<A href="https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456" target="_blank">https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456</A></P><P>&nbsp;</P> Wed, 11 May 2022 07:15:43 GMT Saurabh Dhakate 2022-05-11T07:15:43Z https://community.cisco.com/t5/network-access-control/enforce-permit-acl-rules-for-endpoints/m-p/4607959#M574692 <P>Hi there,</P><P>&nbsp;</P><P>We aim to enforce permit-ACL rules for each asset (endpoint device like a printer) using Cisco ISE version 3.0.</P><P>&nbsp;</P><P>We have done the following steps:</P><P>&nbsp;</P><OL><LI>We have created an asset as an endpoint on ISE using its MAC address.</LI><LI>We have created the corresponding ACL rules as Downloadable ACL (dACL) /&nbsp;TrustSec SGACL on ISE.</LI></OL><P><BR />What is unclear to us is how to enforce these rules to the network, specific to the asset (<STRONG>endpoint</STRONG>), or at least to a port of a network switch to which this asset is connected. Is there any documentation that explains how to perform this task?</P><P>&nbsp;</P> Wed, 11 May 2022 06:16:22 GMT https://community.cisco.com/t5/network-access-control/enforce-permit-acl-rules-for-endpoints/m-p/4607959#M574692 blackbird_bb 2022-05-11T06:16:22Z https://community.cisco.com/t5/network-access-control/enforce-permit-acl-rules-for-endpoints/m-p/4607990#M574693 <P>ISE Profiling is the best option for your use case. Please refer this doc for more information&nbsp;<A href="https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456" target="_blank">https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456</A></P><P>&nbsp;</P> Wed, 11 May 2022 07:15:43 GMT https://community.cisco.com/t5/network-access-control/enforce-permit-acl-rules-for-endpoints/m-p/4607990#M574693 Saurabh Dhakate 2022-05-11T07:15:43Z https://community.cisco.com/t5/network-access-control/enforce-permit-acl-rules-for-endpoints/m-p/4608039#M574700 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1324594">@blackbird_bb</a> using a DACL enforcement is local to the switch the endpoint is connected to and simplier to implement.</P> <P>Compared to TrustSec SGACL which is more complex to implement and support.</P> <P>&nbsp;</P> <P>How big is your network? What switches do you have?</P> <P>&nbsp;</P> <P>Refer to this ISE Segmentation strategy guide for more information.</P> <P><A href="https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424" target="_blank">https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424</A></P> <P>&nbsp;</P> Wed, 11 May 2022 09:18:13 GMT https://community.cisco.com/t5/network-access-control/enforce-permit-acl-rules-for-endpoints/m-p/4608039#M574700 Rob Ingram 2022-05-11T09:18:13Z