Re: IP Based Access Control Policies

Nik. · ‎02-18-2022

Hello everyone,

I am currently using "Group-Based Access Control" policies which are all set to "deny".

Now some clients need to connect to other clients on the same or a different SGT.

In my opinion thats what the "Group-Based Access Control" policies are used for.

Is this the way to go if some clients need to connect to other clients (rdp for example) or is there a better way?

And do the "IP Based Access Control" policies have a higher priority than the "Group-Based Access Control" policies?

Thanks in advance!

Flavio Miranda · ‎02-18-2022

Hi

that´s correct. One of the most important feature on the SDA technology. Group based is way more cool as it integrates with ISE and allow SGACL. IP Basec is a simpler way and is more similar to standard ACL we alread have on cisco devices.

"Is this the way to go if some clients need to connect to other clients (rdp for example) or is there a better way?"

If they are on the same fabric, yes. If they are in different location no. SGT is for lateral communication.

This doc bring a detailed explanation on both features:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-3/user_guide/b_cisco_dna_center_ug_1_3/b_cisco_dna_center_ug_1_3_chapter_01010.html#id_53452

Nik. · ‎02-21-2022

Hey,

thanks for your answer.

But I think I got something wrong in my questions.

I meant to set every "Group-Based Access Control" policy to "Deny" and use "IP Based Access Control" for things like rdp connections etc. between clients. Since "Group-Based Access Control" policies only work in one direction.

And yes, they are all on the same fabric.