Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
3
Replies

Best Practise of Redirect ACL for Posturing

Go to solution
Madhuri Dewangan
Cisco Employee
Cisco Employee

‎04-29-2019 09:58 AM

Hi Team,

 

Looking for the best practise for the number of ACEs that should be present in the Redirect ACL for Posturing.

 

Thanks and Regards,

Madhuri

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to Madhuri Dewangan

‎04-30-2019 01:43 AM

It really depends on your requirements , for example you may want to provide a dACL to provide some limited access regardless of your redirect acl

In general your redirect acl should provide

 

  • DNS
  • DHCP
  • ISE PSNs to which CPP portal FQDN points out
  • Traffic to remediation servers if needed

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-29-2019 10:13 AM

In my experience your best bet is to limit the ACEs to only allow connectivity to your ISE node that will perform the posture checks, DNS for resolution, and then deny bootps, and https. Remember that your redirect acl is flipped. For example:
deny ip any host <ISE IP Addr> actually permits connectivity to your ISE node.

I also think that this may vary depending upon your customer requirements. HTH!
0 Helpful

Go to solution
Madhuri Dewangan
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎04-29-2019 10:51 AM

Hi Mike,

Currently there are 70+ ACEs in the Redirect Acl. Which is currently being used in all location throughout the deployment, which i would be suggesting to make location specific, hence need the input on number of ace we should keep in redirect acl
0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to Madhuri Dewangan

‎04-30-2019 01:43 AM

It really depends on your requirements , for example you may want to provide a dACL to provide some limited access regardless of your redirect acl

In general your redirect acl should provide

 

  • DNS
  • DHCP
  • ISE PSNs to which CPP portal FQDN points out
  • Traffic to remediation servers if needed
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents