Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1037
Views
0
Helpful
2
Replies

Multiple dACL on one Switchport

Go to solution
Holger1
Level 1
Level 1

‎12-05-2019 05:12 AM

Maybe one very simple question but I need help:

 

Scenario should be 

Phone and a client PC on same Switch port, Client connected behind Phone (example Cisco Phone).

Switchport in multiple auth domain and ISE gives back 2  policy with diffrent dACls

1. dACL for Phone

2. dACL for Client

Will that work? so two applied dACLs on same port. Maybe also additional VLAN change.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-05-2019 09:09 AM

That works just fine.  The switch will just merge the ACLs and replace the "Any" source with the client's actual IP address.  For example, let's say your PC is 192.168.5.5 and your phone is 192.168.10.10 and each would be a permit any any dACL.  The end result of the ACL applied to the port would be something as follows:

permit ip host 192.168.5.5 any

permit ip host 192.168.10.10 any

deny ip any any

It is completely normal to have clients behind IP phones and the switches are smart enough to handle them as if they are on two separate domains, data and voice.

However, I would try to stay away from dynamic VLAN assignment, especially for PCs.  This is because when you change the VLAN, you also change IP addresses.  That can break things like GPO's, drive mappings, etc.  For printers and other miscellaneous devices, the VLAN change wouldn't be that bad.  So if you have to do it, try to make the default access VLAN on the ports the one that the PC will be in and then just change to other VLAN as needed for printers and other miscellaneous devices.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
marce1000
VIP
VIP

‎12-05-2019 06:10 AM

 

 - Your question kind of really lies in the area of I want to make things difficult ; my advise is always on Intranet where authentication (ISE)  is used in combination with port security and access requirements to no put end devices behind phones and provision separate connections. It makes things more consistent combined with using the policy-possibilities of ISE.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-05-2019 09:09 AM

That works just fine.  The switch will just merge the ACLs and replace the "Any" source with the client's actual IP address.  For example, let's say your PC is 192.168.5.5 and your phone is 192.168.10.10 and each would be a permit any any dACL.  The end result of the ACL applied to the port would be something as follows:

permit ip host 192.168.5.5 any

permit ip host 192.168.10.10 any

deny ip any any

It is completely normal to have clients behind IP phones and the switches are smart enough to handle them as if they are on two separate domains, data and voice.

However, I would try to stay away from dynamic VLAN assignment, especially for PCs.  This is because when you change the VLAN, you also change IP addresses.  That can break things like GPO's, drive mappings, etc.  For printers and other miscellaneous devices, the VLAN change wouldn't be that bad.  So if you have to do it, try to make the default access VLAN on the ports the one that the PC will be in and then just change to other VLAN as needed for printers and other miscellaneous devices.

0 Helpful
Customers Also Viewed These Support Documents