@LevAjar they are a couple of things you can do to achieve what you require.
- If you authenticate against ISE/RADIUS, client A is assigned a Downloadable ACL (DACL) that denies access to Client B systems and permits the other traffic. And Vice Versa, a different DACL is assigned to Client B which denies access to Client A resources and permits other traffic. Example
- Or assign a Group Policy and VPN filter to Client A, which denies access to Client B resources and permits the rest. And assign a different Group Policy and VPN filter for Client B. Example.