Solved: Should ACL be applied on port in Closed mode

adityaM1234 · ‎01-06-2015

Hi,

while reading about Closed mode deployment of ISE, I came across conflict in Cisco's "HowTo-10-Universal_Switch_Config" and "HowTo-25-Closed_Mode" documents.

According to "HowTo-10-Universal_Switch_Config", in Closed Mode, we need to apply a ACL on switch port as follows

ip access-list ext ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log

But according to "HowTo-25-Closed_Mode", in Closed Mode, we don't apply this ACL on switchport.

So my question is, if the ACL need to applied on Switchport or not..and how it will affect switchport

Thanks,

Aditya

nspasov · ‎01-12-2015

Sorry for the delay Aditya as I got really busy at work. Did you read the link that I provided? It really provides answers and different options to your issue.

I personally prefer NOT to configure an ACL and let the system use the default one. However, if you choose that path, make sure that you are always returning a DACL with your authorization profiles, even if it is just "permit ip any any"

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎01-06-2015

Hello Aditya-

Very good question. The default ACL will always be there on the switch weather you configure one or not. Check out this document:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/sw8021x.html#pgfId-1193896

You have two options:

1. Create your own default ACL to avoid the default one (that only allows DHCP). Your default ACL should be more permissive than the default one. For instance, mine always included "permit ip any any." That way authenticated and authorized hosts are not blocked from accessing any resources on the network.

2. Always return a DACL in your ISE authorization profiles (even if it is just "permit ip any any". That way the default-ACL is removed

I prefer method number #2 that way I don't have to bother with the default ACL and it also allows me to control traffic based on the different authorization profiles and DACLs that I apply.

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

adityaM1234 · ‎01-07-2015

Hi Neno,

Thanks for reply.

I agree that DACLs should be included in profile.

The main objective of "Closed Mode" is to provide access only after 802.1x authentication.

while reading about "Closed Mode", I came across conflict in Cisco Documents as I mentioned earlier.

so my question is, should we apply ACL on the port or no need to apply any ACL on port in "Closed Mode"

Thanks,

Aditya

nspasov · ‎01-12-2015

Sorry for the delay Aditya as I got really busy at work. Did you read the link that I provided? It really provides answers and different options to your issue.

I personally prefer NOT to configure an ACL and let the system use the default one. However, if you choose that path, make sure that you are always returning a DACL with your authorization profiles, even if it is just "permit ip any any"

Thank you for rating helpful posts!

Thank you for rating helpful posts!

adityaM1234 · ‎01-14-2015

Hi Neno,

Thank you for reply.

Regards,

Aditya

nspasov · ‎01-14-2015

You are welcome! Glad I could help!

Thank you for rating helpful posts!