First time testing DACLs, pushing them from ISE to Cat9300s. Like other switch vendors, we're seeing that Cisco appends a "version number" to the DACL. When the DACL is updated in ISE and an endpoint authenticates, it has the modified DACL with differing numbers appended. So my questions are:
Is it possible for the modified DACL to simply replace the existing DACL, so we don't end up with multiple versions of the DACL?
If not, what is the solution? Set authentication interval so endpoints re-authenticate at some point and receive the new DACL?
If versioning is a problem, another option may be to administer ACLs on the switches, and have ISE push a filter-ID referencing the local switch ACL. My concern here is maintaining ACLs across many switches and would need an easy way to make edits. Thoughts?
No comments:
Post a Comment