Re: Cisco ISE dACL and L2 switch

Script Kiddie · ‎11-20-2023

Dear community,

I'm pretty new at Cisco ISE, however I have very essential question.

My goal is to prepare isolation rules, I was reading about Adaptive Network Control and options it goes with.

I think Acces-Reject option will be the best, but we use different deployement modes, and from what I know it works only in "Close" mode, on the other hand, switch in "Monitor" mode ignores "Access-Reject" messages. I have also tested it.

Then my idea was to create dACL with deny any.

And here goes the question: How can L2 switch process ip deny any dACL?

My ultimate goal is to isolate the host and as a result the host should not be able to communicate with any other host on other vlans, not even on the same vlan. I think this cannot be reached with dACL on L2 switch.

I'm open to any ideas, thanks.

MHM Cisco World · ‎11-20-2023

Check below

MHM

Script Kiddie · ‎11-20-2023

Can you explain, please?

MHM Cisco World · ‎11-20-2023

dACL is add as port ACL so it can use to isolated any host connect to that port from any other host ( in same or different vlan).

Only router ACL need l3 interface (l3 sw).

Rob Ingram · ‎11-20-2023

@Script Kiddie if you wish to isolate hosts and prevent them communicating with any networks/vlans, then why not dynamically place them into an unrouted vlan, that way they will not have an IP address to communicate with other devices. Else I see no reason why a DACL would not work, TrustSec SGT would be the preferred segementation solution to prevent lateral movement.

Script Kiddie · ‎11-20-2023

Dear all,

since I'm addressing here two different topics, I've decided to create two discussions:

How dACL works on L2 switch?
Cisco ISE - downloadable ACL (dACL) and Layer 2 switch - Cisco Community
Best and simplest way to isolate a host?
Cisco ISE - host isolation options - Cisco Community

Please feel free to join them. Thank you for your answers already.