ExtremeCloud IQ- Site Engine & Extreme Management Center

  • 1.  NAC Service Rule

    Posted 06-10-2015 10:51
    Hi together,

    one quick question.
    I want to deny traffic for a specific Role in Policy Manager.
    So the aim is that traffic from that Role is denied if the Destination is for example
    the subnet with Port 22 (SSH).
    I have tried to forbid this traffic with IP TCP Port Destination but it doesn't work for a subnet and also if i will insert a single host.
    Only IP Socket Destination denied that traffic for a single host but it was not possible to insert a complete subnet in this application mask.
    So where is my fault?
    Is it possible to deny such traffic for a complete destination subnet.
    I don't understand also the difference between IP Socket Destination and IP TCP Port Destination.

    Greetings Ronny

  • 2.  RE: NAC Service Rule

    Posted 06-10-2015 13:02
    Hi Ronny,

    easy question first: The Difference between "IP Socket Destination" and "IP TCP Port Destination" is that the first will match on both UDP and TCP, while "IP TCP/UDP Port Destination" only match their respective protocol.

    As to your actual problem, I don't think building such a rule is possible. It seems like there is some kind of technical limitation as to how complex these policy rules can become.

    If your clients are not residing in the same subnet as the SSH servers ( in your example), I guess the easiest workaround would be to block those SSH connections with an ACL on their gateway.

  • 3.  RE: NAC Service Rule

    Posted 06-10-2015 16:40
    Looks like it's only supported on some models... like WLAN Controller & K/S/Matrix series.
    So set the "rule type" to the device you are need the rule for and give it a try.

    Here the example for the K/S/Matrix series.....

  • 4.  RE: NAC Service Rule

    Posted 06-10-2015 16:56

    thanks for your answers.
    The Access Switch where the client is connected to, is a Enterasys B5 Switch.
    But i don't understand why this is not possible.
    I also tried to deny the traffic to the complete subnet, so the complete IP protocol.
    This works!
    But the limitation to tcp oder udp with a specific port is not possible.
    This is strange.


  • 5.  RE: NAC Service Rule

    Posted 06-11-2015 16:18

    Building policy to block traffic to specified IP address or subnet is not possible in case of stackable switches (A/B/C/D). You can do it only for S/K series. It is like that because of limits of hardware.
    It is also possible in case of wireless controllers.
    So building such rule is generally possible but limited to specific models of switches.


  • 6.  RE: NAC Service Rule

    Posted 06-11-2015 18:23

    The policy rule would look as follows:

    set policy profile 3 name "Test" pvid-status enable pvid 4095
    set policy rule 3 ipdestsocket mask 24 drop

    This will drop all traffic destined to 192.168.100.x/24.

    The policy can be applied to a individual port.

    The B5 supports the following Policy Features: