11-27-2019 12:14 PM
Hi
If you have an IP-ACL on an SVI Interface today. How can I implement it into a SD-Access Fabric?
I'm not meaning a micro segmentation. Just for example deny any icmp traffic for a specific device.
No Firewall in front of the site. Do DACL does the job for me and are they supported?
Kind regards
Markus
Solved! Go to Solution.
11-27-2019 06:12 PM
Create a static IP to SGT mapping for the destination and define the policy on the ISE to block ICMP from the source SGT to DGT
11-27-2019 06:12 PM
Create a static IP to SGT mapping for the destination and define the policy on the ISE to block ICMP from the source SGT to DGT
11-27-2019 10:14 PM
11-27-2019 10:56 PM
it will be enforced on the vlan as we push the following config as part of fabric
cts role-based enforcement
cts role-based enforcement vlan-list
12-01-2019 12:44 PM
Hi
The best place to deploy is on Border or Fusion.
https://community.cisco.com/t5/security-documents/policy-enforcement-within-sda-border/ta-p/3646816
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide