cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
735
Views
0
Helpful
5
Replies

Cisco ISE - downloadable ACL (dACL) and Layer 2 switch

Script Kiddie
Level 1
Level 1

Dear community,

I'm new at Cisco ISE and I've been working on some quarantine options. 

In my example, I used Authorization Profile with dACL with result Acess-Accept and deny ip any any. Then I've attached it to the host via Adaptive Network Control.
It worked, however, since this is L3 dACL, I'm still missing how switch is able to handle IP based information? My understanding of dACL is that ISE will push it to the access switch, which is in the most cases L2. How can it work then? 

Thank you!

 

5 Replies 5

I already answered you

dACL apply as port acl (filters l3 ans l2 traffic) to l2 port.

So dACL work with l2 switch. 

Hello, thanks for the answer. I've created new discussion for this particular topic.
Can you please explain it more from the low-level?
How can L2 switch process L3 information, since it works with MACs only? Does it have something to do with TCAM?

L2 SW can process l3 via not software like router but via tcam but it cannot routing l3 packet.

Can l3 sw also use dacl? Yes it can also

From Cisco doc. 

"" 

Understanding Port ACLs

The port ACL (PACL) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic. The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software).

When you create a port ACL, an entry is created in the ACL TCAM. You can use the show tcam counts command to see how much TCAM space is available.

The PACL feature does not affect Layer 2 control packets received on the port."" 

 

Got it, thanks.
So from my understanding, I have to make sure that I have L2 switch that has TCAM so its able to work with dACL.

Dumb question now, since it has TCAM, if I push dACL ip deny any to the switch, the host should not be able to communicate with others even on the same VLAN, right? 

Yes it should that.