Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3874
Views
11
Helpful
3
Replies

Best practices for Cisco ISE Dacl Deployment

davedvo
Level 1
Level 1

‎10-27-2021 10:36 AM

Hello Cisco Community,

My organization is looking for the best practice for deploying out the Cisco ISE Dacl feature for all of our windows workstations. Currently we have our headquarter site, set up to deploy these downloadable ACLs to access switchports on a per-user basis and also maintain Catalyst 9500x Layer 3 switch ACLs per vlan. We have seen various issues every now and then with maintaining the ACLs in two devices. Is it better to instead only enforce ACLs at the switchport using the ISE cluster and leave the Catalyst 9500x Switch to have permit ip any any statements for proper connectivity in most environments? Also would it be an okay option to not enforce vlan changes for one authorization rules that corresponds to one our departments, so that help desk users would not have to wait for the IP change to occur on remote systems they are logging into?

0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎10-28-2021 12:22 AM

 

 - Review this document :

            https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

thomas
Cisco Employee
Cisco Employee

‎12-13-2021 01:07 PM

Better to have a single Data VLAN and enforce individual IPs using dACLs.

Why? :

- a single Data VLAN means no VLAN changes which will mess up some IOT devices and even Windows devices with long boot times and any other weird behaviors that you have already seen.  8-)

- You can edit and use dACLs quickly in ISE while editing static VACLs on 100's or 1000's of network devices may take weeks or more depending on your ability to push changes.

davedvo
Level 1
Level 1
In response to thomas

‎12-14-2021 04:23 AM

Thank you Thomas for this great solution that seems to fix the issues we've been running into :). It would be a very nice idea to push down a specific subnet using the dACL itself, instead of a vlan enforcement. How would this be accomplished via the downloadable acl control entires on the Cisco ISE policy results page? I have looked around and I have been unable to locate a way to do so.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents