topic Port-based policy to block outbound traffic except for specific IP addresses and service in ExtremeControl https://community.extremenetworks.com/t5/extremecontrol/port-based-policy-to-block-outbound-traffic-except-for-specific/m-p/120457#M2131 <P>I am looking at creating a really basic NAC policy where all devices in a switch can communicate freely within their subnet (192.168.0.0/24 for example), nothing else, except for a single device (192.168.0.10).<BR /><BR />192.168.0.10 (on a separate physical switchport) needs to be able to talk to not only everything in 192.168.0.0/24, but also needs to be able to send HTTPS requests via TCP/443 out to a device with 10.0.0.10 IP address. I've been able to easily get policy applied to ports to allow or block services completely, but would appreciate assistance in figuring out the simplest approach to also specify IP addresses allowed to communicate.&nbsp;<BR /><BR />In short:<BR />1) 192.168.0.0/24 can talk to everything within that subnet unrestricted. Can't talk to anything else with the exception of a single device (192.168.0.10).</P><P>2) 192.168.0.10 needs to talk to everything on 192.168.0.0/24</P><P>3) 192.168.0.10 needs to also talk to 10.0.0.10 via TCP/443. Communication initiates from 192.168.0.10 outbound to 10.0.0.10<BR /><BR />I apologize if this is easily found on documentation. I've been going through the documentation and training. Figured I'd ask for assistance to make sure I am going down the right path. Thank you!</P> Tue, 07 Oct 2025 15:07:14 GMT jc0299 2025-10-07T15:07:14Z Port-based policy to block outbound traffic except for specific IP addresses and service https://community.extremenetworks.com/t5/extremecontrol/port-based-policy-to-block-outbound-traffic-except-for-specific/m-p/120457#M2131 <P>I am looking at creating a really basic NAC policy where all devices in a switch can communicate freely within their subnet (192.168.0.0/24 for example), nothing else, except for a single device (192.168.0.10).<BR /><BR />192.168.0.10 (on a separate physical switchport) needs to be able to talk to not only everything in 192.168.0.0/24, but also needs to be able to send HTTPS requests via TCP/443 out to a device with 10.0.0.10 IP address. I've been able to easily get policy applied to ports to allow or block services completely, but would appreciate assistance in figuring out the simplest approach to also specify IP addresses allowed to communicate.&nbsp;<BR /><BR />In short:<BR />1) 192.168.0.0/24 can talk to everything within that subnet unrestricted. Can't talk to anything else with the exception of a single device (192.168.0.10).</P><P>2) 192.168.0.10 needs to talk to everything on 192.168.0.0/24</P><P>3) 192.168.0.10 needs to also talk to 10.0.0.10 via TCP/443. Communication initiates from 192.168.0.10 outbound to 10.0.0.10<BR /><BR />I apologize if this is easily found on documentation. I've been going through the documentation and training. Figured I'd ask for assistance to make sure I am going down the right path. Thank you!</P> Tue, 07 Oct 2025 15:07:14 GMT https://community.extremenetworks.com/t5/extremecontrol/port-based-policy-to-block-outbound-traffic-except-for-specific/m-p/120457#M2131 jc0299 2025-10-07T15:07:14Z Re: Port-based policy to block outbound traffic except for specific IP addresses and service https://community.extremenetworks.com/t5/extremecontrol/port-based-policy-to-block-outbound-traffic-except-for-specific/m-p/120505#M2135 <P>I think you can achieve this with the following approach:</P><P>Role A:</P><UL><LI>Permit destination IP 192.168.0.0/24</LI><LI>Permit DHCP</LI><LI>Permit ARP</LI><LI>Permit DNS (if not on 192.168.0.0/24)</LI><LI>Deny the rest</LI></UL><P>Apply this role to all access ports except the one where 192.168.0.10 is present</P><P>Role B:</P><UL><LI>Permit destination IP 192.168.0.0/24</LI><LI>Permit destination socket 10.0.0.10 with TCP port 443</LI><LI>Permit DHCP</LI><LI>Permit ARP</LI><LI>Permit DNS (if not on 192.168.0.0/24)</LI><LI>Deny the rest</LI></UL><P>Apply this role to the port where the 192.168.0.10 is located.<BR /><BR />Do not apply any role to the uplink port.</P><P>Notes:</P><UL><LI>in the policy manager we use Role, in the CLI it is called profile.</LI><LI>you can use NAC (Extreme Control) to assign those roles dynamically, instead of static assignment to the port</LI></UL><P>&nbsp;</P><P>Hope it helps</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 14 Oct 2025 07:34:23 GMT https://community.extremenetworks.com/t5/extremecontrol/port-based-policy-to-block-outbound-traffic-except-for-specific/m-p/120505#M2135 Zdeněk_Pala 2025-10-14T07:34:23Z