Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
99
Views
0
Helpful
1
Replies

dACL implementation question use case

REJR77
Level 1
Level 1

‎06-26-2024 08:58 AM

Hi experts,

I need to use dACL from ISE to filter MAB groups. I understand that the best way is of course to use a firewall, but this is not currently possible on this part of the network.

I have 2 use cases

Use Case 1

Sans titre.png

 

 

 

 

 

 

 

 

 

 

- the endpoint 10.0.0.1 needs to access the server 172.1.1.1 on port 80:

- the server needs to access the endpoint for SNMP polling

- drop anything else from the endpoint

In the end the dACL would look like this correct?

permit tcp any host 172.1.1.1 eq 80
permit udp any eq snmp host 172.1.1.1
deny ip any any

Use Case 2

Sans titrew.png

 

 

 

 

 

 

 

 

 

 

- the endpoint can access only 1 server on the network (and nothing else on the subnet 172.1.1.0/24)

- the endpoint can access Internet

permit tcp any host 172.1.1.1 eq 80
deny ip any 172.1.1.0 0.0.0.255
permit ip any any

Is it correct?

Thank you for the help

 

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎06-26-2024 01:59 PM

It looks right to me, but I find port based dACLs require testing to be 100% sure.

Use Case 2 could be optimised a bit by removing the first permit tcp rule, since, logically, it's taken care of by the final permit ip any any. 

0 Helpful
Customers Also Viewed These Support Documents