topic Re: dACL implementation question use case in Network Access Control https://community.cisco.com/t5/network-access-control/dacl-implementation-question-use-case/m-p/5136571#M590272 <P>It looks right to me, but I find port based dACLs require testing to be 100% sure.</P> <P>Use Case 2 could be optimised a bit by removing the first permit tcp rule, since, logically, it's taken care of by the final permit ip any any.&nbsp;</P> Wed, 26 Jun 2024 20:59:30 GMT Arne Bier 2024-06-26T20:59:30Z dACL implementation question use case https://community.cisco.com/t5/network-access-control/dacl-implementation-question-use-case/m-p/5136441#M590266 <P>Hi experts,</P> <P>I need to use dACL from ISE to filter MAB groups. I understand that the best way is of course to use a firewall, but this is not currently possible on this part of the network.</P> <P>I have 2 use cases</P> <P><STRONG>Use Case 1</STRONG></P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Sans titre.png" style="width: 712px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/221682i2528148AEF09D4FD/image-size/large?v=v2&amp;px=999" role="button" title="Sans titre.png" alt="Sans titre.png" /></span></STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>- the endpoint 10.0.0.1 needs to access the server 172.1.1.1 on port 80:</P> <P>- the server needs to access the endpoint for SNMP polling </P> <P>- drop anything else from the endpoint</P> <P>In the end the dACL would look like this correct?</P> <LI-CODE lang="markup">permit tcp any host 172.1.1.1 eq 80 permit udp any eq snmp host 172.1.1.1 deny ip any any</LI-CODE> <P><STRONG>Use Case 2</STRONG></P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Sans titrew.png" style="width: 712px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/221684i72D0A28BA4CAF610/image-size/large?v=v2&amp;px=999" role="button" title="Sans titrew.png" alt="Sans titrew.png" /></span></STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>- the endpoint can access only 1 server on the network (and nothing else on the subnet 172.1.1.0/24)</P> <P>- the endpoint can access Internet</P> <LI-CODE lang="markup">permit tcp any host 172.1.1.1 eq 80 deny ip any 172.1.1.0 0.0.0.255 permit ip any any</LI-CODE> <P>Is it correct?</P> <P>Thank you for the help</P> <P>&nbsp;</P> Wed, 26 Jun 2024 15:58:28 GMT https://community.cisco.com/t5/network-access-control/dacl-implementation-question-use-case/m-p/5136441#M590266 REJR77 2024-06-26T15:58:28Z Re: dACL implementation question use case https://community.cisco.com/t5/network-access-control/dacl-implementation-question-use-case/m-p/5136571#M590272 <P>It looks right to me, but I find port based dACLs require testing to be 100% sure.</P> <P>Use Case 2 could be optimised a bit by removing the first permit tcp rule, since, logically, it's taken care of by the final permit ip any any.&nbsp;</P> Wed, 26 Jun 2024 20:59:30 GMT https://community.cisco.com/t5/network-access-control/dacl-implementation-question-use-case/m-p/5136571#M590272 Arne Bier 2024-06-26T20:59:30Z