06-26-2024 08:58 AM
Hi experts,
I need to use dACL from ISE to filter MAB groups. I understand that the best way is of course to use a firewall, but this is not currently possible on this part of the network.
I have 2 use cases
Use Case 1
- the endpoint 10.0.0.1 needs to access the server 172.1.1.1 on port 80:
- the server needs to access the endpoint for SNMP polling
- drop anything else from the endpoint
In the end the dACL would look like this correct?
permit tcp any host 172.1.1.1 eq 80
permit udp any eq snmp host 172.1.1.1
deny ip any any
Use Case 2
- the endpoint can access only 1 server on the network (and nothing else on the subnet 172.1.1.0/24)
- the endpoint can access Internet
permit tcp any host 172.1.1.1 eq 80
deny ip any 172.1.1.0 0.0.0.255
permit ip any any
Is it correct?
Thank you for the help
Solved! Go to Solution.
06-26-2024 01:59 PM
It looks right to me, but I find port based dACLs require testing to be 100% sure.
Use Case 2 could be optimised a bit by removing the first permit tcp rule, since, logically, it's taken care of by the final permit ip any any.
06-26-2024 01:59 PM
It looks right to me, but I find port based dACLs require testing to be 100% sure.
Use Case 2 could be optimised a bit by removing the first permit tcp rule, since, logically, it's taken care of by the final permit ip any any.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide