cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

161
Views
0
Helpful
3
Replies
Highlighted
Beginner

Providing different ACL for the same device depending where connected ?

Hi all,

in a classical and normal ISE - NAC design is it possible to send different downloadable ACL for a same device depending of where it is connected ? I mean for example :

- Laptop X connected in vlan 100 (IP range 10.10.10.0/24) : get downloadable access-list "permit any".

- Same laptop X connected in vlan 20 (IP range 20.20.20.0/24) : get different downloadable access-list "deny all".

I know it is possible to provide dACL based on the IP range but is it also possible to base the ACL on "type of device + IP range" ?

Thanks in advance

Nic

3 REPLIES 3
Highlighted
Cisco Employee

Hi Nic, this should be possible. I have done this in the past where I had to push a different dACL based on the office location and floor #. For this, I used the "Device-Location" attribute. Thus, switches were grouped based on the device location which I used for the Authorization Rules. For instance, :

If device location = SiteA-Floor-1 then dACL = ACL_1

If device location = SiteA-Floor-3 then dACL = ACL_2

I hope this helps!

Thank you for rating helpful posts!

Highlighted

Hi Neno,

thanks for the reply. Actually this method doesn't suit me as I have to do the difference between vlan or IP net and I can have two of the vlans on the same location.

kr

Nic

Highlighted

Before I can provide any additional suggestions you will need to outline the exact requirements :) Can you give us more details on exactly what you are trying to accomplish?

Thank you for rating helpful posts!

Content for Community-Ad