Meraki MS with ISE and DACLs

Solved
Mosquitar
Here to help

Meraki MS with ISE and DACLs

Hi All,

 

I am aware that it is possible to configure ISE to override the MS port VLAN following successful device authentication ( such as placing computers in the corporate data VLAN if they pass certificate based authentication), however is it also possible to apply an ACL to the session to enforce L3 communication from the computer (similar to how dynamic ACLs/DACLs work with Cisco Catalyst switches)?

 

Thanks

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

You can't pass ACLs to the switch directly, as with dACLs, but you can effectively activate ACLs that have been previously configured there in the Dashboard, most powerfully, using Group Policy like this (which allows you to also apply things like rate shaping in a full-stack deployment):   https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists#:~:te....

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

View solution in original post

5 Replies 5
GreenMan
Meraki Employee
Meraki Employee

You can't pass ACLs to the switch directly, as with dACLs, but you can effectively activate ACLs that have been previously configured there in the Dashboard, most powerfully, using Group Policy like this (which allows you to also apply things like rate shaping in a full-stack deployment):   https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists#:~:te....

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

GIdenJoe
Kind of a big deal
Kind of a big deal

On MS2xx and higher you can use group policy ACL which listens to the Filter-ID AV pair radius response.

However on MS switches you have some severe limitations in how many ACE's you can use per session and in total.  Especially ACE that contain ports really take down the total you can use.

200 ACE across the switch?! Does that mean if I make a gp that allows dns, dhcp, blocks rfc1918 and allows anything else. That would be 5 aces. I would only be able to apply it on 40 ports? 

Ryan_Pascoe
Meraki Employee
Meraki Employee

@Bucket, GP ACL scales much better than that, ACL entry utilisation does not increase with increase in number of active clients within the same group

  • Active group = active, authenticated client
  • ACL entry utilisation does not increase with increase in number of active clients within the same group

active-client  x 1 group x 10 rules 10 hardware ACL entries
active-clients x 1 group x 10 rules 10 hardware ACL entries 

20k active-clients x 1 group x 10 rules 10 hardware ACL entries

 

Hope that helps

@Ryan_Pascoe Thanks, that makes a lot more sense.

 

That also means the MS390 is a beast with Meraki GP compared to a C9300 with dACL, but I guess thats the advantage of using an access-list that exists locally on the switch.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels