cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
449
Views
0
Helpful
4
Replies
Highlighted
Enthusiast

SD-Access and IP-ACL

Hi

 

If you have an IP-ACL on an SVI Interface today. How can I implement it into a SD-Access Fabric?

I'm not meaning a micro segmentation. Just for example deny any icmp traffic for a specific device.

No Firewall in front of the site. Do DACL does the job for me and are they supported?

 

Kind regards

Markus

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: SD-Access and IP-ACL

Create a static IP to SGT mapping for the destination and  define the policy on the  ISE to block ICMP  from the source SGT to DGT 

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: SD-Access and IP-ACL

Create a static IP to SGT mapping for the destination and  define the policy on the  ISE to block ICMP  from the source SGT to DGT 

View solution in original post

Highlighted
Enthusiast

Re: SD-Access and IP-ACL

But where will this policy be applied? As I know with GBACL they will be enforced on the outgoing interface inside the fabric.
But my destination is outside the fabric.
Highlighted
Cisco Employee

Re: SD-Access and IP-ACL

it will be enforced on the vlan  as we push the following config as part of fabric

 

cts role-based enforcement
cts role-based enforcement vlan-list

Highlighted
Beginner

Re: SD-Access and IP-ACL

Hi

 

The best place to deploy is on Border or Fusion.

 

https://community.cisco.com/t5/security-documents/policy-enforcement-within-sda-border/ta-p/3646816

 

Regards.

CreatePlease to create content
Content for Community-Ad