https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3990517#M402 <P>Create a static IP to SGT mapping for the destination and&nbsp; define the policy on the&nbsp; ISE to block ICMP&nbsp; from the source SGT to DGT&nbsp;</P> Thu, 28 Nov 2019 02:12:57 GMT sandjose 2019-11-28T02:12:57Z https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3990340#M401 <P>Hi</P><P>&nbsp;</P><P>If you have an IP-ACL on an SVI Interface today. How can I implement it into a SD-Access Fabric?</P><P>I'm not meaning a micro segmentation. Just for example deny any icmp traffic for a specific device.<BR /><BR />No Firewall in front of the site. Do DACL does the job for me and are they supported?</P><P>&nbsp;</P><P>Kind regards</P><P>Markus</P> Wed, 27 Nov 2019 20:14:07 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3990340#M401 markus.forrer 2019-11-27T20:14:07Z https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3990517#M402 <P>Create a static IP to SGT mapping for the destination and&nbsp; define the policy on the&nbsp; ISE to block ICMP&nbsp; from the source SGT to DGT&nbsp;</P> Thu, 28 Nov 2019 02:12:57 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3990517#M402 sandjose 2019-11-28T02:12:57Z https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3990577#M405 But where will this policy be applied? As I know with GBACL they will be enforced on the outgoing interface inside the fabric.<BR />But my destination is outside the fabric. Thu, 28 Nov 2019 06:14:00 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3990577#M405 markus.forrer 2019-11-28T06:14:00Z https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3990590#M406 <P>it will be enforced on the vlan&nbsp; as we push the following config as part of fabric</P> <P>&nbsp;</P> <P>cts role-based enforcement<BR />cts role-based enforcement vlan-list </P> Thu, 28 Nov 2019 06:56:50 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3990590#M406 sandjose 2019-11-28T06:56:50Z https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3991781#M409 <P>Hi</P><P>&nbsp;</P><P>The best place to deploy is on Border or Fusion.</P><P>&nbsp;</P><P><A href="https://community.cisco.com/t5/security-documents/policy-enforcement-within-sda-border/ta-p/3646816" target="_blank">https://community.cisco.com/t5/security-documents/policy-enforcement-within-sda-border/ta-p/3646816</A></P><P>&nbsp;</P><P>Regards.</P> Sun, 01 Dec 2019 20:44:17 GMT https://community.cisco.com/t5/software-defined-access-sd-access/sd-access-and-ip-acl/m-p/3991781#M409 Heriberto Diaz 2019-12-01T20:44:17Z