topic RE: NAC Service Rule in ExtremeCloud IQ- Site Engine Management Center

NAC Service Rule

Ronny_Engelhard — Wed, 10 Jun 2015 17:51:00 GMT

Hi together,

one quick question.
I want to deny traffic for a specific Role in Policy Manager.
So the aim is that traffic from that Role is denied if the Destination is for example
the subnet 192.168.1.0/24 with Port 22 (SSH).
I have tried to forbid this traffic with IP TCP Port Destination but it doesn't work for a subnet and also if i will insert a single host.
Only IP Socket Destination denied that traffic for a single host but it was not possible to insert a complete subnet in this application mask.
So where is my fault?
Is it possible to deny such traffic for a complete destination subnet.
I don't understand also the difference between IP Socket Destination and IP TCP Port Destination.

Greetings Ronny

RE: NAC Service Rule

Andre_K_ — Wed, 10 Jun 2015 20:02:00 GMT

Hi Ronny,

easy question first: The Difference between "IP Socket Destination" and "IP TCP Port Destination" is that the first will match on both UDP and TCP, while "IP TCP/UDP Port Destination" only match their respective protocol.

As to your actual problem, I don't think building such a rule is possible. It seems like there is some kind of technical limitation as to how complex these policy rules can become.

If your clients are not residing in the same subnet as the SSH servers (192.168.1.0 in your example), I guess the easiest workaround would be to block those SSH connections with an ACL on their gateway.

RE: NAC Service Rule

Ronald_Dvorak — Wed, 10 Jun 2015 23:40:00 GMT

Looks like it's only supported on some models... like WLAN Controller & K/S/Matrix series.
So set the "rule type" to the device you are need the rule for and give it a try.

Here the example for the K/S/Matrix series.....

RE: NAC Service Rule

Ronny_Engelhard — Wed, 10 Jun 2015 23:56:00 GMT

Hi,

thanks for your answers.
The Access Switch where the client is connected to, is a Enterasys B5 Switch.
But i don't understand why this is not possible.
I also tried to deny the traffic to the complete subnet, so the complete IP protocol.
This works!
But the limitation to tcp oder udp with a specific port is not possible.
This is strange.

Ronny

RE: NAC Service Rule

Piotr_Owczarek — Thu, 11 Jun 2015 23:18:00 GMT

Hi,

Building policy to block traffic to specified IP address or subnet is not possible in case of stackable switches (A/B/C/D). You can do it only for S/K series. It is like that because of limits of hardware.
It is also possible in case of wireless controllers.
So building such rule is generally possible but limited to specific models of switches.

Piotr

RE: NAC Service Rule

Andre_Brits_Kan — Fri, 12 Jun 2015 01:23:00 GMT

Hi

The policy rule would look as follows:

set policy profile 3 name "Test" pvid-status enable pvid 4095
set policy rule 3 ipdestsocket 192.168.100.0 mask 24 drop

This will drop all traffic destined to 192.168.100.x/24.

The policy can be applied to a individual port.

The B5 supports the following Policy Features: