10-03-2019 07:51 AM
Hello,
If I use ICE to restrict access (what ports they communicate on, who can talk to them, etc) to certain devices while they are in VLAN 200 will I have to redo those rules from the ground up if I move those devices into VLAN 201?
Thanks in advance!
All replies rated.
10-03-2019 08:24 AM
10-03-2019 08:27 AM
I assume you are referring to downloadable ACL's (dACL). That would be the only way ISE can restrict access like that. In that case, it depends on how you write your ACL. If you are allowing traffic to IP's and ports outside of the VLAN, then nothing should change there. If you are trying to restrict a user from communicating with another machine on the same VLAN, then that may have to change. For example, let's say VLAN 200 is 192.168.200.x and VLAN 201 is 192.168.201.x. You want to prevent a user on VLAN 200 from talking to other users on VLAN 200. That ACL entry may be "deny ip any 192.168.200.0 0.0.0.255". If you then move to VLAN 201, then you would also have to have an entry to cover the new subnet. Just really depends on what you are looking to accomplish.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide