Hi All,
I am aware that it is possible to configure ISE to override the MS port VLAN following successful device authentication ( such as placing computers in the corporate data VLAN if they pass certificate based authentication), however is it also possible to apply an ACL to the session to enforce L3 communication from the computer (similar to how dynamic ACLs/DACLs work with Cisco Catalyst switches)?
Thanks
Solved! Go to solution.
You can't pass ACLs to the switch directly, as with dACLs, but you can effectively activate ACLs that have been previously configured there in the Dashboard, most powerfully, using Group Policy like this (which allows you to also apply things like rate shaping in a full-stack deployment): https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists#:~:te....
You can't pass ACLs to the switch directly, as with dACLs, but you can effectively activate ACLs that have been previously configured there in the Dashboard, most powerfully, using Group Policy like this (which allows you to also apply things like rate shaping in a full-stack deployment): https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists#:~:te....
On MS2xx and higher you can use group policy ACL which listens to the Filter-ID AV pair radius response.
However on MS switches you have some severe limitations in how many ACE's you can use per session and in total. Especially ACE that contain ports really take down the total you can use.
200 ACE across the switch?! Does that mean if I make a gp that allows dns, dhcp, blocks rfc1918 and allows anything else. That would be 5 aces. I would only be able to apply it on 40 ports?
@Bucket, GP ACL scales much better than that, ACL entry utilisation does not increase with increase in number of active clients within the same group
1 active-client x 1 group x 10 rules = 10 hardware ACL entries
2 active-clients x 1 group x 10 rules = 10 hardware ACL entries
20k active-clients x 1 group x 10 rules = 10 hardware ACL entries
Hope that helps
@Ryan_Pascoe Thanks, that makes a lot more sense.
That also means the MS390 is a beast with Meraki GP compared to a C9300 with dACL, but I guess thats the advantage of using an access-list that exists locally on the switch.