Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using PERMIT ANY DACL on IP Phone

Do you generally use the default ISE policy that adds the PERMIT ANY DACL to IP Phones, or do you remove the DACL?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

I always do the following

I always do the following with my deployments:

1. Always return a dACL even if it is just "permit ip any any" There are bugs with IOS that do not remove the CWA ACLs or the default ACL on the port of you don't return a dACL. I also like it because I can quickly go in and restrict access if needed

2. I never use anything that is default in ISE. I crate my own authorization policies, profiles, identity store sequences, etc. That way I know that I have not touched anything that is default so I can go back later and use it for reference

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
1 REPLY
Cisco Employee

I always do the following

I always do the following with my deployments:

1. Always return a dACL even if it is just "permit ip any any" There are bugs with IOS that do not remove the CWA ACLs or the default ACL on the port of you don't return a dACL. I also like it because I can quickly go in and restrict access if needed

2. I never use anything that is default in ISE. I crate my own authorization policies, profiles, identity store sequences, etc. That way I know that I have not touched anything that is default so I can go back later and use it for reference

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
97
Views
0
Helpful
1
Replies
CreatePlease login to create content