Solved: Split-tunnel acl vs ISE DACL

xavierjackson8889 · ‎03-26-2026

Hello,

I had a quick question. So currently we have a tunnel-group-name condition configured on ISE so whoever connects to this vpn tunnel-group then gets a permit ip any any DACL.

If split-tunnelling is used which is evaluated first? Im assuming the DACL first which permits any traffic into the tunnel but the split-tunnel acl directing the traffic?

So if we have two tunnel-group once authorised by ISE, one of them cant access an internal resource, but the second tunnel-group can access it, I assume checking split-tunnel would be good start? Since both are authorized by ISE i dont think it'd be ise issue?

If anyone can confirm

Thanks

Aref Alsouqi · ‎03-26-2026

The dACL won't be applied on the client side, it would applied to the headend to the client session. If you configure split tunneling then the traffic that will not be sent over the tunnel won't be subject to the configured dACL because it will not hit the headend. However, anything else that will be sent over the tunnel will still be subject to that dACL.

View solution in original post

Aref Alsouqi · ‎03-26-2026

The dACL won't be applied on the client side, it would applied to the headend to the client session. If you configure split tunneling then the traffic that will not be sent over the tunnel won't be subject to the configured dACL because it will not hit the headend. However, anything else that will be sent over the tunnel will still be subject to that dACL.

xavierjackson8889 · ‎03-26-2026

Ah okay, thank you very much for confirming