Enforce permit-ACL rules for endpoints

blackbird_bb · ‎05-10-2022

Hi there,

We aim to enforce permit-ACL rules for each asset (endpoint device like a printer) using Cisco ISE version 3.0.

We have done the following steps:

We have created an asset as an endpoint on ISE using its MAC address.
We have created the corresponding ACL rules as Downloadable ACL (dACL) / TrustSec SGACL on ISE.

What is unclear to us is how to enforce these rules to the network, specific to the asset (endpoint), or at least to a port of a network switch to which this asset is connected. Is there any documentation that explains how to perform this task?

Saurabh Dhakate · ‎05-11-2022

ISE Profiling is the best option for your use case. Please refer this doc for more information https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

Rob Ingram · ‎05-11-2022

@blackbird_bb using a DACL enforcement is local to the switch the endpoint is connected to and simplier to implement.

Compared to TrustSec SGACL which is more complex to implement and support.

How big is your network? What switches do you have?

Refer to this ISE Segmentation strategy guide for more information.

https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424