Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
20
Helpful
3
Replies

Port ACL overrides SGACL

Go to solution
Antonio Macia
Participant
Participant

‎05-31-2022 07:29 AM

Hi,

 

We are moving from traditional DACL to SGACL and we've noticed that the existing static ACL applied to the port that enforces the traffic when the device has not authenticated yet into the network, overrides the SGACL downloaded from ISE. With DACL this does not happen and the DACL has higher priority over the port ACL, but for some reason this is not the case for SGACLs.

 

Is there a way to make the SGACL more preferable over the PACL?

 

Regards.

2 Accepted Solutions

Accepted Solutions

Go to solution
andrewswanson
Rising star
Rising star

‎05-31-2022 11:09 AM

Hi

 

When you say you are moving from traditional DACL to SGACL, do you mean that your ISE authz policy is changing from DACL to SGT assignment?

 

SGTs are assigned by ISE authz policy and SGACLs are downloaded by policy enforcement switches on your network (usually the egress switches of your CTS domain).

 

To retain your Port ACL and use SGT/SGACL you'd probably have to have an ISE authz policy that assigns an SGT as well as a "permit any" DACL to negate the Port ACL.

 

hth
Andy

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-31-2022 03:35 PM

@andrewswanson is correct, but just to add some additional context here...

Switchport ACLs (static or downloadable) enforce traffic at the ingress of the port whereas SGACLs enforce traffic at the egress of the port.

The entire scalability principle of TrustSec is based on the enforcement of SGACLs being done at the egress, closest to the destination. This is the opposite of traditional extended ACLs and this basic tenet of TrustSec should be considered and followed in your design and deployment. If you were to attempt leveraging SGACLs to enforce traffic at the source, like you would traditional ACLs, you will likely run into issues with scalability due to the source having to know every destination IP/SGT binding.

View solution in original post

3 Replies 3

Go to solution
andrewswanson
Rising star
Rising star

‎05-31-2022 11:09 AM

Hi

 

When you say you are moving from traditional DACL to SGACL, do you mean that your ISE authz policy is changing from DACL to SGT assignment?

 

SGTs are assigned by ISE authz policy and SGACLs are downloaded by policy enforcement switches on your network (usually the egress switches of your CTS domain).

 

To retain your Port ACL and use SGT/SGACL you'd probably have to have an ISE authz policy that assigns an SGT as well as a "permit any" DACL to negate the Port ACL.

 

hth
Andy

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-31-2022 03:35 PM

@andrewswanson is correct, but just to add some additional context here...

Switchport ACLs (static or downloadable) enforce traffic at the ingress of the port whereas SGACLs enforce traffic at the egress of the port.

The entire scalability principle of TrustSec is based on the enforcement of SGACLs being done at the egress, closest to the destination. This is the opposite of traditional extended ACLs and this basic tenet of TrustSec should be considered and followed in your design and deployment. If you were to attempt leveraging SGACLs to enforce traffic at the source, like you would traditional ACLs, you will likely run into issues with scalability due to the source having to know every destination IP/SGT binding.

Go to solution
Antonio Macia
Participant
Participant

‎06-01-2022 03:59 AM

Thanks @andrewswanson I tested that approach and it works. Thanks as well @Greg Gibbs you right about the egress enforcement.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents