Header Only - DO NOT REMOVE - Extreme Networks

VLAN Assignment Policy Manager NAC

  • 16 June 2015
  • 6 replies

Userlevel 1

i have one problem with vlan assignment and nac / policy manager.
We are introducing a Extreme NAC Appliance.
So at present the vlan information for a client is set in the Netsight Console.
In the future we only want to assign a vlan for a client only at one position in network, only in the assigned role for example.
So when i define a role, i can choose the standard operation for traffic that not matches any service rule. Only when i choose contain to vlan, the assigned vlan id that is configured on the switch is overwritten. But then i have the princip of a blacklist if i want to filter any traffic.
How is it possible to invers that princip.
I have been experimenting with the vlan egress tab in policy manager, but with this option you have the problem that the configured vlan on the switch must be consisent with the vlan chosen in policy manager. Additionally i have to say i only want to use untagged vlans.
Is there any possibility to do this?

Many thanks


6 replies

Hi Ronny,

Contain to Vlan means Allow. If You want to deny some traffic you have to explicit specify it as a blocking rule.

Userlevel 1

thanks for you comment.
Yes i understand that but why is it not possible to invers that.
My aim is to deny any traffic as default option and allow only specific traffic to one vlan.


It is not possible to ivert action of contain to vlan. But You can still use deny action with static port to clan assignment. You can also try to play with NAC profile and check if it will be possible to send both Enterasys policy and clan id in one profile.
Userlevel 4
Another option would be to send back both VLAN Assignment (RFC 3580) and Policy assignment from NAC. You need to configure the switch to accept both in Policy Manager, but that should allow you to dynamically assign the VLAN and use any permit/deny rules needed. See attached images for where to allow this in Policy Manager and where to configure it in NAC.

Userlevel 1
Thanks a lot, think this will solve my problem.
I will test it tomorrow.

Userlevel 1
So i checked the Solution and it works indeed.

Thank you for that solution!! 🙂