Showing results for 
Search instead for 
Did you mean: 

Best practices for Cisco ISE Dacl Deployment


Hello Cisco Community,

My organization is looking for the best practice for deploying out the Cisco ISE Dacl feature for all of our windows workstations. Currently we have our headquarter site, set up to deploy these downloadable ACLs to access switchports on a per-user basis and also maintain Catalyst 9500x Layer 3 switch ACLs per vlan. We have seen various issues every now and then with maintaining the ACLs in two devices. Is it better to instead only enforce ACLs at the switchport using the ISE cluster and leave the Catalyst 9500x Switch to have permit ip any any statements for proper connectivity in most environments? Also would it be an okay option to not enforce vlan changes for one authorization rules that corresponds to one our departments, so that help desk users would not have to wait for the IP change to occur on remote systems they are logging into?


VIP Mentor VIP Mentor
VIP Mentor

Cisco Employee
Cisco Employee

Better to have a single Data VLAN and enforce individual IPs using dACLs.

Why? :

- a single Data VLAN means no VLAN changes which will mess up some IOT devices and even Windows devices with long boot times and any other weird behaviors that you have already seen.  8-)

- You can edit and use dACLs quickly in ISE while editing static VACLs on 100's or 1000's of network devices may take weeks or more depending on your ability to push changes.

Thank you Thomas for this great solution that seems to fix the issues we've been running into :). It would be a very nice idea to push down a specific subnet using the dACL itself, instead of a vlan enforcement. How would this be accomplished via the downloadable acl control entires on the Cisco ISE policy results page? I have looked around and I have been unable to locate a way to do so.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: