My workplace is wanting to get into further segmentation of resources via ACLs. For example, we would like to segment user labs in a way that allows them to specifically not be able to interact with our servers in any way, shape, or form. However, I am curious about people's thoughts on the location of the ACLs being placed.
Our architecture generally consists of a multi-layer switch which is used as our network core and multiple IDFs spread across a physical location. Our servers are generally located in the same physical location/room as the core switch. Would it make more sense for us to put the ACLs in place at the switch closest to user labs, or would it make more sense for the ACLs to be placed on the multi-layer core?
For the traffic you want to filter/drop, it makes most sense to keep the ACL closest to the source - it makes no point for the packet to traverse entire network just to be dropped. In this case, I would place ACL on the SVI of the Lab segment. This way you are sure at very first hop what traffic can leave Lab environment.
using ISE, we send down dACLs to the access switchport to control access. This allows us to have a default basic ACL on all switchports and open/restrict on access. This also has the advantage of 1 place to make a change to them vs having to change on every access switch.