NAC Service Rule

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi together,

one quick question.
I want to deny traffic for a specific Role in Policy Manager.
So the aim is that traffic from that Role is denied if the Destination is for example
the subnet 192.168.1.0/24 with Port 22 (SSH).
I have tried to forbid this traffic with IP TCP Port Destination but it doesn't work for a subnet and also if i will insert a single host.
Only IP Socket Destination denied that traffic for a single host but it was not possible to insert a complete subnet in this application mask.
So where is my fault?
Is it possible to deny such traffic for a complete destination subnet.
I don't understand also the difference between IP Socket Destination and IP TCP Port Destination.

Greetings Ronny
Photo of Ronny Engelhardt

Ronny Engelhardt

  • 310 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Andre K.

Andre K.

  • 356 Points 250 badge 2x thumb
Hi Ronny,

easy question first: The Difference between "IP Socket Destination" and "IP TCP Port Destination" is that the first will match on both UDP and TCP, while "IP TCP/UDP Port Destination" only match their respective protocol.

As to your actual problem, I don't think building such a rule is possible. It seems like there is some kind of technical limitation as to how complex these policy rules can become.

If your clients are not residing in the same subnet as the SSH servers (192.168.1.0 in your example), I guess the easiest workaround would be to block those SSH connections with an ACL on their gateway.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,994 Points 20k badge 2x thumb
Looks like it's only supported on some models... like WLAN Controller & K/S/Matrix series.
So set the "rule type" to the device you are need the rule for and give it a try.

Here the example for the K/S/Matrix series.....

Photo of Ronny Engelhardt

Ronny Engelhardt

  • 310 Points 250 badge 2x thumb
Hi,

thanks for your answers.
The Access Switch where the client is connected to, is a Enterasys B5 Switch.
But i don't understand why this is not possible.
I also tried to deny the traffic to the complete subnet, so the complete IP protocol.
This works!
But the limitation to tcp oder udp with a specific port is not possible.
This is strange.

Ronny
Photo of Piotr Owczarek

Piotr Owczarek

  • 484 Points 250 badge 2x thumb
Hi,


Building policy to block traffic to specified IP address or subnet is not possible in case of stackable switches (A/B/C/D). You can do it only for S/K series. It is like that because of limits of hardware.

It is also possible in case of wireless controllers.

So building such rule is generally possible but limited to specific models of switches.


Piotr
(Edited)
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,214 Points 5k badge 2x thumb
Hi

The policy rule would look as follows:

set policy profile 3 name "Test" pvid-status enable pvid 4095
set policy rule 3 ipdestsocket 192.168.100.0  mask 24 drop

This will drop all traffic destined to 192.168.100.x/24.

The policy can be applied to a individual port.

The B5 supports the following Policy Features: