cancel
Showing results for 
Search instead for 
Did you mean: 

Extreme NAC - Service rule deny destination IP on switch

Extreme NAC - Service rule deny destination IP on switch

NieeBieeski
New Contributor

Hello all,

 

We have some troubles with NAC configuration on our x440 switches. We’ve created service rule that deny traffic to some destination subnet. Let’s say 10.0.0.0/24, but when client is connected directly to the switch (via ethernet connection) rule doesn’t work! On WiFi everything works completely fine. 

 

Command “show policy capabilities” issue on switch shows us that IP Destination Subnet is supported on this device. 

 

Does anyone know how to resolve this problem?

 

Thanks in advance,

Marcin

8 REPLIES 8

NieeBieeski
New Contributor

I switch to “Permit traffic” works the same as contain to vlan. Switch is synced with domain, everything is applied, i also checked directly on the switch if rules are there, and everything looks fine. 

 

Here is policy role, it’s create for testing purposes. I’ve try to block traffic also by IPDstSocket, doesn’t work either. 

b7944cdec9da471c8c9353f0ac8e4120_f14e3de7-4027-4a62-851e-3a72d8f93210.png

 

Stefan_K_
Valued Contributor

I’m not 100% sure if service rules are applied if you use “contain to vlan” instead of “Permit Traffic” or “Deny Traffic”. I only used one of the latter when denying access to certain subnets via service rules.

Can you maybe try to use “Permit Traffic”?

 

Can you go to Policy → Devices → Right-Click the switch and hit “Verify” to check if the policy is correctly applied?
Can you share a screenshot of the policy role?

NieeBieeski
New Contributor

Hi Stefan,

 

Yes and yes. Switch is part of the policy domain, and nac role is configured, proper service that supposed to block traffic is also added to role. 

 

Role action is contain to VLAN

Stefan_K_
Valued Contributor

Hi,

is the switch part of the Policy domain?
Is there a NAC rule configured that applies the correct Role?

Regards
Stefan

GTM-P2G8KFN