Is it possible to use object groups within an ISE DACL? Would make DACLs much easier to manage if I didn't have to touch each one anytime a common server IP changes. Looking to get away from SGTs/SGAs due to external requirements.
For example: permit tcp <Web_Servers> eq http.... and so on - instead of creating a line for each individual IP address that would fall into the Web Servers group?
I thought this was not possible in the past, but I took at look at my ISE 2.1 to check. I was able to create a DACL such as "permit tcp any addrgroup myobject". I have not been able to verify it as I have never used this in the past. Also, be wary of the limit of ACE's the DACL can hold (64). If more than that is required, SGACL's are the way to go.