cancel
Showing results for 
Search instead for 
Did you mean: 

NAC Service Rule

NAC Service Rule

Ronny_Engelhard
New Contributor II
Hi together,

one quick question.
I want to deny traffic for a specific Role in Policy Manager.
So the aim is that traffic from that Role is denied if the Destination is for example
the subnet 192.168.1.0/24 with Port 22 (SSH).
I have tried to forbid this traffic with IP TCP Port Destination but it doesn't work for a subnet and also if i will insert a single host.
Only IP Socket Destination denied that traffic for a single host but it was not possible to insert a complete subnet in this application mask.
So where is my fault?
Is it possible to deny such traffic for a complete destination subnet.
I don't understand also the difference between IP Socket Destination and IP TCP Port Destination.

Greetings Ronny
5 REPLIES 5

Andre_Brits_Kan
Contributor II
Hi

The policy rule would look as follows:

set policy profile 3 name "Test" pvid-status enable pvid 4095
set policy rule 3 ipdestsocket 192.168.100.0 mask 24 drop

This will drop all traffic destined to 192.168.100.x/24.

The policy can be applied to a individual port.

The B5 supports the following Policy Features:

e1b1e3e4572f4675ae6d835fff21da95_RackMultipart20150611-16576-1u46hf2-Capture_inline.jpg



Piotr_Owczarek
New Contributor III
Hi,

Building policy to block traffic to specified IP address or subnet is not possible in case of stackable switches (A/B/C/D). You can do it only for S/K series. It is like that because of limits of hardware.
It is also possible in case of wireless controllers.
So building such rule is generally possible but limited to specific models of switches.

Piotr

Ronny_Engelhard
New Contributor II
Hi,

thanks for your answers.
The Access Switch where the client is connected to, is a Enterasys B5 Switch.
But i don't understand why this is not possible.
I also tried to deny the traffic to the complete subnet, so the complete IP protocol.
This works!
But the limitation to tcp oder udp with a specific port is not possible.
This is strange.

Ronny

Ronald_Dvorak
Honored Contributor
Looks like it's only supported on some models... like WLAN Controller & K/S/Matrix series.
So set the "rule type" to the device you are need the rule for and give it a try.

Here the example for the K/S/Matrix series.....

dd06c4ed945d4f3783b6de1694af7a0b_RackMultipart20150610-5122-16uvmgn-PM_rule_ssh_subnet_inline.png


GTM-P2G8KFN