Showing results for 
Search instead for 
Did you mean: 

Cisco ISE dACL and L2 switch

Script Kiddie
Level 1
Level 1

Dear community,

I'm pretty new at Cisco ISE, however I have very essential question.

My goal is to prepare isolation rules, I was reading about Adaptive Network Control and options it goes with.

I think Acces-Reject option will be the best, but we use different deployement modes, and from what I know it works only in "Close" mode, on the other hand, switch in "Monitor" mode ignores "Access-Reject" messages. I have also tested it.

Then my idea was to create dACL with deny any.

And here goes the question: How can L2 switch process ip deny any dACL?

My ultimate goal is to isolate the host and as a result the host should not be able to communicate with any other host on other vlans, not even on the same vlan. I think this cannot be reached with dACL on L2 switch.

I'm open to any ideas, thanks.

5 Replies 5

Check below 


Can you explain, please?

dACL is add as port ACL so it can use to isolated any host connect to that port from any other host ( in same or different vlan).

Only router ACL need l3 interface (l3 sw).

@Script Kiddie if you wish to isolate hosts and prevent them communicating with any networks/vlans, then why not dynamically place them into an unrouted vlan, that way they will not have an IP address to communicate with other devices. Else I see no reason why a DACL would not work, TrustSec SGT would be the preferred segementation solution to prevent lateral movement.

Script Kiddie
Level 1
Level 1

Dear all,

since I'm addressing here two different topics, I've decided to create two discussions:

Please feel free to join them. Thank you for your answers already.