My organization is looking for the best practice for deploying out the Cisco ISE Dacl feature for all of our windows workstations. Currently we have our headquarter site, set up to deploy these downloadable ACLs to access switchports on a per-user basis and also maintain Catalyst 9500x Layer 3 switch ACLs per vlan. We have seen various issues every now and then with maintaining the ACLs in two devices. Is it better to instead only enforce ACLs at the switchport using the ISE cluster and leave the Catalyst 9500x Switch to have permit ip any any statements for proper connectivity in most environments? Also would it be an okay option to not enforce vlan changes for one authorization rules that corresponds to one our departments, so that help desk users would not have to wait for the IP change to occur on remote systems they are logging into?
Thank you Thomas for this great solution that seems to fix the issues we've been running into :). It would be a very nice idea to push down a specific subnet using the dACL itself, instead of a vlan enforcement. How would this be accomplished via the downloadable acl control entires on the Cisco ISE policy results page? I have looked around and I have been unable to locate a way to do so.