Alexander,
This is actually a quite common deployment. I'm not sure of the exact CLI syntax on the switch, but since you have Management Center anyway, I would always recommend configuring policy from there.
From Management Center, you would create a policy that is very similar to what you have. The main difference is that you would specify the servers that are running DHCP and DNS by either a dedicated IP address or by using an Automated service. The example I have below shows a single server that's running DHCP and DNS in the private network. That takes precedence over dropping the IP range of a the private network. So in essence the priority would be:
Allow DHCP to 10.0.40.100 (assumed server)
Allow DNS to 10.0.40.100
Deny IP to 10.0.40.0/24
Allow ARP
Allow HTTP
Allow HTTPS
Let me know if that helps. I can provide more screenshots if you'd like or I can export the PMD file as well.
Thanks,
Tyler
This is actually a quite common deployment. I'm not sure of the exact CLI syntax on the switch, but since you have Management Center anyway, I would always recommend configuring policy from there.
From Management Center, you would create a policy that is very similar to what you have. The main difference is that you would specify the servers that are running DHCP and DNS by either a dedicated IP address or by using an Automated service. The example I have below shows a single server that's running DHCP and DNS in the private network. That takes precedence over dropping the IP range of a the private network. So in essence the priority would be:
Allow DHCP to 10.0.40.100 (assumed server)
Allow DNS to 10.0.40.100
Deny IP to 10.0.40.0/24
Allow ARP
Allow HTTP
Allow HTTPS
Let me know if that helps. I can provide more screenshots if you'd like or I can export the PMD file as well.
Thanks,
Tyler
Dear Tyler, Patrick.
thanks for your help.
I notice, that I should find a different solution then changing the rule precedence.
My requirement is quiet basic.
Client Network "332" : 10.0.254.0/24
Clients should have Internet Access http & https
DNS & DHCP to internal network
No other communication
Internal Network: 10.0.40.0/24
Here we have the DHCP & DNS Server which serves Client Network 332.
And there are several other Server with http/https Web Management.
A Policy which
dns forward
arp forward
dhcp forward
http forward
ip drop
=> Clients can establish unwanted connections to the Web GUI of 3rd party Server in 10.0.40.0/24.
A Policy which
dns forward
arp forward
dhcp forward
http forward
10.0.40.0/24 drop
=> No more DNS/DHCP
Plan B:
With the recommendation not to change the precedence, I plan to apply an ACL which deny http traffic to the internal network.
(or changing the dns/dhcp design)
Best regards
Alexander
thanks for your help.
I notice, that I should find a different solution then changing the rule precedence.
My requirement is quiet basic.
Client Network "332" : 10.0.254.0/24
Clients should have Internet Access http & https
DNS & DHCP to internal network
No other communication
Internal Network: 10.0.40.0/24
Here we have the DHCP & DNS Server which serves Client Network 332.
And there are several other Server with http/https Web Management.
A Policy which
dns forward
arp forward
dhcp forward
http forward
ip drop
=> Clients can establish unwanted connections to the Web GUI of 3rd party Server in 10.0.40.0/24.
A Policy which
dns forward
arp forward
dhcp forward
http forward
10.0.40.0/24 drop
=> No more DNS/DHCP
Plan B:
With the recommendation not to change the precedence, I plan to apply an ACL which deny http traffic to the internal network.
(or changing the dns/dhcp design)
Best regards
Alexander
