© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 70
After defining ACL in ISE, it can be associated with an authorization profile, as shown in Figure 4.
Figure 4. Authorization Profile
Note: If a named authentication method-list is in place for AAA, an attribute needs to be set from ISE, as
shown in 4 Method-List in this example is CLIENT_AUTH.
After successful download of ACL, the client is authorized, and the following is the output of ACL:
Switch#sh access-lists
Extended IP access list xACSACLx-IP-user1-46a243eb (per-user)
1 permit udp any any eq domain
2 permit tcp any any eq domain
3 permit udp any eq bootps any
4 permit udp any any eq bootpc
5 permit udp any eq bootpc any
6 permit ip any any
With the Cisco Catalyst 3850 and converged access, ACLs can now be applied to wireless clients as they are
applied on wired ports/clients. The Cisco Catalyst 3850 has more ternary content-addressable memory (TCAM)
space assigned for ACLs than 3K-X switches. The following paragraphs describe some of the scalability numbers.
Table 1 summarizes the access control entries (ACEs) scalability.
Table 1. Scale Numbers
ACL Resources
Cisco Catalyst 3850
IPv4 ACE
3000 entries
IPv6 ACE
1500 entries
L4OPs/ACL
8 L4OPs