Rules with Policy not working as intended
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-14-2018 12:23 PM
I have the following setup for testing purposes which i am unable to get working properly. i might be doing something wrong but i dont see what.
I have a role in Policy which i named LAB-CORP-ROLE. Clients logging in with dot1x (LAN and WLAN) get the proper Role. With this role i have defined a few basic rules:
I am testing this with LAN, i know we have to manualy rearrange the rules in the EWC, which is realy stupid, but that's my honest opinion...
The role is Contain to vlan, I think this has a implicit permit at the bottom of the rules?
i then allow: Base Services, the predefined ones: Permit IP ARP, BootP Server and DNS.
I created another rules which i called deny RFC's. I want to block all traffic to internal IP adresses and allow DNS, DHCP and ARP.
The client does get an IP but is unable to resolve DNS to an internal DNS server, even while ill explicitly allow udp 53 (to all ip's i suppose) If i add a permit to the IP of the internal DNS server it works fine. This is not what i want to do. I hope i made myself clear and i also hope someone here might be able to tell me what i am doing wrong.
I also tried to change the Access control on this role to Permit and then add the vlan to vlan Egress tab (untagged ofcourse) I can then see the switchport does get the untagged vlan on that port but ni mac adresses are being learned... Seems like a bug as well? Am i doing something wrong?
Kind regards!
I have a role in Policy which i named LAB-CORP-ROLE. Clients logging in with dot1x (LAN and WLAN) get the proper Role. With this role i have defined a few basic rules:
I am testing this with LAN, i know we have to manualy rearrange the rules in the EWC, which is realy stupid, but that's my honest opinion...
The role is Contain to vlan, I think this has a implicit permit at the bottom of the rules?
i then allow: Base Services, the predefined ones: Permit IP ARP, BootP Server and DNS.
I created another rules which i called deny RFC's. I want to block all traffic to internal IP adresses and allow DNS, DHCP and ARP.
The client does get an IP but is unable to resolve DNS to an internal DNS server, even while ill explicitly allow udp 53 (to all ip's i suppose) If i add a permit to the IP of the internal DNS server it works fine. This is not what i want to do. I hope i made myself clear and i also hope someone here might be able to tell me what i am doing wrong.
I also tried to change the Access control on this role to Permit and then add the vlan to vlan Egress tab (untagged ofcourse) I can then see the switchport does get the untagged vlan on that port but ni mac adresses are being learned... Seems like a bug as well? Am i doing something wrong?
Kind regards!
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-15-2018 09:48 AM
Shameless bump as i am still pondering if there is noone here that has seen this. Or if i am doing something wrong, or even a other better suggestion which works is also greatly appreciated!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-08-2020 10:25 PM
I have the same problem. Have you found the solution?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-09-2020 08:23 AM
No, the issues back then were the precedence within the rules. As far as I was concerned you could only use it for very basic firewalling. So we bought a proper firewall and rebuild the solution entirely.
No idea if this is still an issue, it has been quite some time since I last checked the possibilities.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-14-2018 01:33 PM
Hello,
for the precedence of rules, you may have a look at the following on the switch
Get the list of profile with show policy profile and get the PID [example 2]
X440G2-12p-10G4.35 # sh policy profile
|PID |Name |RS|PVID|CoS|MIR|STDOA|T U|prec |aSum |dSum |web|
[...]
|2 |Deny All |A |0 | | | | | | | | |
[...]
Then you can look at the precedence of rules for that profile [same across a switch]
X440G2-12p-10G4.34 # sh policy profile 2
Profile Index :2
[...]
Rule Precedence :1-2,10,12-18,20-22,25,31
:MACSource (1), MACDest (2), IPv6Dest (10),
:IPSource (12), IPDest (13), IPFrag (14),
:UDPSrcPort (15), UDPDestPort (16), TCPSrcPort (17),
:TCPDestPort (18), TTL (20), IPTOS (21), IPProto (22),
:Ether (25), Port (31)
then you can see the policy rule associated with that profile [2] and you can see they are ordered [following the precedence rule - indenpendently of the order you use in policy manager]
X440G2-12p-10G4.32 # sh policy rule
Admn|Rule Type |Rule Data |Msk|PortStr |RS|ST|STDO|dPID|aPID|Mir|U|
admn|MACSource |D8-84-66-79-A0-87 | 48|5 | A| V| | 4| | |?|
PID |Rule Type |Rule Data |Msk|PortStr |RS|ST|STDO|VLAN|CoS |Mir|U|
2 |IPSource |192.168.10.1 | 32|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1000 | 13|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1008 | 12|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1024 | 7|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1500 | 16|All | A|NV| |fwrd| | |?|
2 |UDPSrcPort |1536 | 8|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1792 | 9|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1920 | 10|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1984 | 12|All | A|NV| |drop| | |?|
2 |UDPSrcPort |2000 | 16|All | A|NV| |drop| | |?|
2 |IPProto |1 (0x1) | 8|All | A|NV| |drop| | |?|
3 |IPProto |58 (0x3a) | 8|All | A|NV| |drop| | |?|
for the precedence of rules, you may have a look at the following on the switch
Get the list of profile with show policy profile and get the PID [example 2]
X440G2-12p-10G4.35 # sh policy profile
|PID |Name |RS|PVID|CoS|MIR|STDOA|T U|prec |aSum |dSum |web|
[...]
|2 |Deny All |A |0 | | | | | | | | |
[...]
Then you can look at the precedence of rules for that profile [same across a switch]
X440G2-12p-10G4.34 # sh policy profile 2
Profile Index :2
[...]
Rule Precedence :1-2,10,12-18,20-22,25,31
:MACSource (1), MACDest (2), IPv6Dest (10),
:IPSource (12), IPDest (13), IPFrag (14),
:UDPSrcPort (15), UDPDestPort (16), TCPSrcPort (17),
:TCPDestPort (18), TTL (20), IPTOS (21), IPProto (22),
:Ether (25), Port (31)
then you can see the policy rule associated with that profile [2] and you can see they are ordered [following the precedence rule - indenpendently of the order you use in policy manager]
X440G2-12p-10G4.32 # sh policy rule
Admn|Rule Type |Rule Data |Msk|PortStr |RS|ST|STDO|dPID|aPID|Mir|U|
admn|MACSource |D8-84-66-79-A0-87 | 48|5 | A| V| | 4| | |?|
PID |Rule Type |Rule Data |Msk|PortStr |RS|ST|STDO|VLAN|CoS |Mir|U|
2 |IPSource |192.168.10.1 | 32|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1000 | 13|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1008 | 12|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1024 | 7|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1500 | 16|All | A|NV| |fwrd| | |?|
2 |UDPSrcPort |1536 | 8|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1792 | 9|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1920 | 10|All | A|NV| |drop| | |?|
2 |UDPSrcPort |1984 | 12|All | A|NV| |drop| | |?|
2 |UDPSrcPort |2000 | 16|All | A|NV| |drop| | |?|
2 |IPProto |1 (0x1) | 8|All | A|NV| |drop| | |?|
3 |IPProto |58 (0x3a) | 8|All | A|NV| |drop| | |?|
