02-20-2020 10:38 AM
Good Morning, a Customer ask if is possible to use XMC Policy Manager without NAC and radius.
At the moment is necessary check the OUI and put on a correct VLAN.
I configured X440 in CLI and it works, now we want to do the same with XMC.
Thanks
Giuseppe
03-09-2020 07:44 AM
Hi,
With policy, you can assign the policy to vlan, port.
With policy, you can assign the policy to a subnet on N/S/K/PV-FC series only, not currently on EXOS.
In current policy implementation, you can not combine source and destination in the same filtering rule.
The future features and roadmap can not be discussed in public, contact a local representative for details.
03-09-2020 05:09 AM
Hi,
I know they are different tools but can I do what I am trying to do with Policy instead of ACLs? Can “Policy” resctrict which IP subnets access to a whole VLAN?
“Short answer is: You will not create ACLs with Policy Manager in XMC 8.4 and older.”. Does this mean there will be changes in XMC 8.5 🙂
Regards,
Rahman
03-06-2020 03:13 PM
Hi,
Policy and ACLs are two different tools, used differently.
Short answer is: You will not create ACLs with Policy Manager in XMC 8.4 and older.
03-05-2020 11:40 AM
Hi,
Can we also use XMC Policy Manager without NAC, for L3 ACLs? I am configuring ACLs by CLI and appling them to a VLAN interface on S series and C5. I also do it on X460-G2. So is it possible with Policy Manager? If it is possible I want to use Policy Manager instead of CLI.
Here is what I want on EOS:
ip access-list extended cctv-camera
permit ip 10.242.2.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip host 192.168.1.44 10.1.1.0 0.0.0.255
permit ip 10.110.100.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 10.111.100.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 10.120.100.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip any any log
interface vlan.0.33
ip address 10.1.1.1 255.255.255.0 primary
ip access-group cctv-camera out
ip helper-address 192.168.10.96
no shutdown
exit
And on EXOS:
create access-list santral-pbx-110 " source-address 10.150.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ; count santral-pbx-allow-110 ;" application "Cli"
create access-list santral-pbx-120 " source-address 10.160.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ; count santral-pbx-allow-120 ;" application "Cli"
create access-list santral-pbx-130 " source-address 10.111.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ; count santral-pbx-allow-130 ;" application "Cli"
create access-list santral-pbx-deny " source-address 0.0.0.0/0 ; destination-address 10.150.101.0/24 ;" " deny ; count santral-pbx-deny ;" application "Cli"
configure access-list add santral-pbx-110 last priority 0 zone SYSTEM vlan Santral-PBX egress
configure access-list add santral-pbx-120 last priority 0 zone SYSTEM vlan Santral-PBX egress
configure access-list add santral-pbx-130 last priority 0 zone SYSTEM vlan Santral-PBX egress
configure access-list add santral-pbx-deny last priority 0 zone SYSTEM vlan Santral-PBX egress
Regards,
Rahman