Showing results for 
Search instead for 
Did you mean: 

Cisco ISE - host isolation options

Script Kiddie
Level 1
Level 1

Dear community,

I'm ISE beginner, and my task is to design isolation options on ISE.

What I tried:
I've been reading that adaptive network control (ANC) can be great option, so I tried it with Access-Reject option - this didn't work as most of our deployments are in "Monitor" mode instead of "Close".

Then I tried dACL but I don't think that is the most reliable option.

My idea is to quarantine host the most secure way and at the same time, the easiest way to implement.
Criteria are that host should not be able to communicate with any other host (not even in the same VLAN).

Furthermore, in time I would like to create more granular isolation options like:

  • Host is not able to communicate anywhere (not even to peers on VLAN).
  • Host is only able to communicate with CLOUD so antivirus can periodically report host status.
  • etc.

Worth to mention is that we have option to use SGT. However, I'm not sure if all locations support it now.

So summarize my question based on information I've provided, what will be the most secure and best effort option to simply isolate the host? 


3 Replies 3

Arne Bier

Sounds like you want Cisco TrustSec (CTS) You can either hand craft it yourself, or if you're serious and have the $$$, then get a DNAC and build yourself an SDA solution. SDA is the best solution for micro-segmentation (CTS) and macro-segmentation (Virtual Networks ... aka VRFs)

Hello, thanks for the answer.
Indeed we have SDA on some locations, but I would need to understand it more as its handled by our network team.
But to not complicate things at first, I can split it into 3 goals:

1. What will be initially the best way to isolate the host? Is it SGT/dACL/Isolated VLAN, etc? 
- I was thinking about dACL since its easy via ANC and also it doesn't require additional configuration on switches. We have L2 switches that by my understanding dispose with TCAM, so should be able to process it. What do you think?
2. Then the second goal will be granular isolation, SGT?
3. Third goal is microsegmentation.

Can you advise me with #1?

Why do you think dACL is not the most reliable option? Have to tried sending a dACL that just does 'deny ip any any" ? Does that still allow peer-to-peer communication? I think if you want to get granular, then SGTs are required.  Perhaps others have a smarter idea