I've been tasked to allow a certain AD account to logon and enable a automated ipad enrolment proof of concept.
ISE will force the user on to a certain vlan that will have restricted access to the internet, but I also wanted it to stop that vlan being able to connect to any thing else on the network.
The reason I want to block it, is if the account gets out, don't want them to have access to the internal network
So was looking at ACL (don't use often)
Allow UDP DNS ANY ANY ANY
Allow UDP ANY DNS ANY ANY
Allow TCP HTTP ANY ANY ANY
Allow TCP ANY HTTP ANY ANY
Allow TCP HTTPs ANY ANY ANY
Allow TCP ANY HTTPs ANY ANY so this should allow to use internal DNS I'm
guessing should be able to go to the internet.
Allow IP Subnet 0.0.0.0 ANY ANY ANY
Allow 0.0.0.0 IP Subnet ANY ANY ANY
Deny 0.0.0.0 0.0.0.0 any any any any any