We have some generic ACLs that exist on all of the switches that apply everywhere on campus, but we push down custom roles for more specific roles.
We currently use MAC Auth on the wired side. If the device is registered as a printer, ClearPass will return a printer role which only allows access from our Class B address space (to stop spammers from off campus).
We have 4 Cisco 6500s in two VSS pairs on our distribution layer and route at the edge. We will be considering the all fiber S3500 switch for the next upgrade cycle.
Printer Example:
Role Config Example:
Access Request from ClearPass returning the printer role based on attributes from our registration system:
RADIUS response back to the switch: