Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
3
Replies

Switch location based DACL

harrzhan
Cisco Employee
Cisco Employee

‎09-04-2018 09:28 AM

Hi experts

 

With the variable in ISE 2.4, I can tie a name of a DACL to an attribute of an endpoint. Is there a way to tie the name of the DACL to the NAD switch location? 

 

The goal is to implement a location based DACL. There are near 200 sites, and the DACL limit the traffic to a local site only. The easiest way to find out where the endpoint is is to use the connected switch location.

 

In stead of using device.location as a condition for these 200 sites, I would rather use a DACL name = Device.location in the authorization profile.

 

Do you have any recommendation?

0 Helpful
3 Replies 3

paul
Level 10
Level 10

‎09-04-2018 10:28 AM

I haven't tested this out, but I have done something similar using a local ACL on the switches at each location.  The switches would have a local ACL called "Local_Access_Only" that is customized for the location and ISE would apply the ACL to the session.  So I am not applying a DACL, but applying an ACL that is on the switch.  

0 Helpful

harrzhan
Cisco Employee
Cisco Employee
In response to paul

‎09-04-2018 10:33 AM

Thanks for the answer. However, the number of switches is too big to make it manageable. Adding one additional line, I would have to go to all the swtiches.
0 Helpful

paul
Level 10
Level 10
In response to harrzhan

‎09-04-2018 10:35 AM

That can all be automated assuming you are managing the switches with any modern management software.


0 Helpful
Customers Also Viewed These Support Documents