https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963012#M585298 <P>Can you explain, please?</P> Mon, 20 Nov 2023 15:28:44 GMT Script Kiddie 2023-11-20T15:28:44Z https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4962995#M585296 <P>Dear community,</P> <P>I'm pretty new at Cisco ISE, however I have very essential question.</P> <P>My goal is to prepare isolation rules, I was reading about Adaptive Network Control and options it goes with.</P> <P>I think Acces-Reject option will be the best, but we use different deployement modes, and from what I know it works only in "Close" mode, on the other hand, switch in "Monitor" mode ignores "Access-Reject" messages. I have also tested it.</P> <P>Then my idea was to create dACL with deny any.</P> <P>And here goes the question:<STRONG> How can L2 switch process ip deny any dACL?</STRONG></P> <P>My ultimate goal is to isolate the host and as a result the host should not be able to communicate with any other host on other vlans, not even on the same vlan. I think this cannot be reached with dACL on L2 switch.</P> <P>I'm open to any ideas, thanks.</P> Mon, 20 Nov 2023 15:39:06 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4962995#M585296 Script Kiddie 2023-11-20T15:39:06Z https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963008#M585297 <P>Check below&nbsp;</P> <P>MHM</P> Mon, 20 Nov 2023 16:01:28 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963008#M585297 MHM Cisco World 2023-11-20T16:01:28Z https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963012#M585298 <P>Can you explain, please?</P> Mon, 20 Nov 2023 15:28:44 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963012#M585298 Script Kiddie 2023-11-20T15:28:44Z https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963045#M585299 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1474389">@Script Kiddie</a> if you wish to isolate hosts and prevent them communicating with any networks/vlans, then why not dynamically place them into an unrouted vlan, that way they will not have an IP address to communicate with other devices. Else I see no reason why a DACL would not work, TrustSec SGT would be the preferred segementation solution to prevent lateral movement.</P> Mon, 20 Nov 2023 15:51:01 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963045#M585299 Rob Ingram 2023-11-20T15:51:01Z https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963059#M585301 <P>dACL is add as <STRONG>port</STRONG> ACL so it can use to isolated any host connect to that port from any other host ( in same or different vlan).</P> <P>Only router ACL need l3 interface (l3 sw).</P> Mon, 20 Nov 2023 16:00:57 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963059#M585301 MHM Cisco World 2023-11-20T16:00:57Z https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963225#M585306 <P>Dear all,</P> <P>since I'm addressing here two different topics, I've decided to create two discussions:</P> <UL> <LI>How dACL works on L2 switch?<BR /><A href="https://community.cisco.com/t5/network-access-control/cisco-ise-downloadable-acl-dacl-and-layer-2-switch/m-p/4963213#M585303" target="_blank">Cisco ISE - downloadable ACL (dACL) and Layer 2 switch - Cisco Community</A></LI> <LI>Best and simplest way to isolate a host?<BR /><A href="https://community.cisco.com/t5/network-access-control/cisco-ise-host-isolation-options/m-p/4963223#M585305" target="_blank">Cisco ISE - host isolation options - Cisco Community</A><BR /><BR /></LI> </UL> <P>Please feel free to join them. Thank you for your answers already.</P> Mon, 20 Nov 2023 19:54:41 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dacl-and-l2-switch/m-p/4963225#M585306 Script Kiddie 2023-11-20T19:54:41Z