cancel
Showing results for 
Search instead for 
Did you mean: 

Extreme NAC - Service rule deny destination IP on switch

Extreme NAC - Service rule deny destination IP on switch

NieeBieeski
New Contributor

Hello all,

 

We have some troubles with NAC configuration on our x440 switches. We’ve created service rule that deny traffic to some destination subnet. Let’s say 10.0.0.0/24, but when client is connected directly to the switch (via ethernet connection) rule doesn’t work! On WiFi everything works completely fine. 

 

Command “show policy capabilities” issue on switch shows us that IP Destination Subnet is supported on this device. 

 

Does anyone know how to resolve this problem?

 

Thanks in advance,

Marcin

8 REPLIES 8

NieeBieeski
New Contributor

Hi Tomasz,

 

Yes and no. When I’m connected via cable to switch connection to 8.8.8.8 is still passing thru. When I’m connected to WLC [which is part of the same domain, and it’s connected to the same Access Control Engine] the traffic is blocked. 

 

Version of the switch is: 30.7.2.1.

 

BR,

Marcin

Tomasz
Valued Contributor II

Hi Marcin,

 

Just one thing to confirm, as you are also trying to deny 8.8.8.8. Does that one work at least perhaps?

What is the fw version on the switch by the way?

 

Kind regards,

Tomasz

NieeBieeski
New Contributor

Hi Emre,

 

This is output from “sh netlogin session ports” on port that I’m connected:

3e846b135896431b80ce3dbdfe208659_f44c306a-5921-43a3-8cf3-40a8c9b0e90e.png

 

 

And here is output from sh configuration policy. I only paste here part that is related to policy “MGMT”:

configure policy profile 1 name "Deny ALL" pvid-status "enable" pvid 0
configure policy profile 2 name "Facebook" pvid-status "enable" pvid 134
configure policy profile 3 name "TOMTOM" pvid 322
configure policy profile 4 name "MGMT" pvid-status "enable" pvid 1065 untagged-vlans 1065
configure policy profile 5 name "PREH" pvid-status "enable" pvid 135
configure policy profile 6 name "ARM" untagged-vlans 32
configure policy profile 7 name "DYSON" untagged-vlans 32
configure policy profile 8 name "APTIV" pvid-status "enable" pvid 124
configure policy profile 9 name "FLIR" pvid 143
configure policy profile 10 name "Permit local"
configure policy profile 11 name "VO" pvid-status "enable" pvid 138
configure policy profile 12 name "Panasonic" pvid 129
configure policy profile 13 name "Captive Portal Redirect" pvid-status "enable" pvid 1065
configure policy profile 14 name "Unregistered" pvid-status "enable" pvid 4095
configure policy profile 15 name "Guest" pvid-status "enable" pvid 1079
configure policy profile 16 name "ASA" untagged-vlans 32
configure policy profile 17 name "BMW" pvid-status "enable" pvid 150
configure policy profile 18 name "Cobham" pvid-status "enable" pvid 165
configure policy profile 19 name "General" pvid-status "enable" pvid 32 untagged-vlans 32
configure policy profile 20 name "TMO" pvid-status "enable" pvid 32 untagged-vlans 32
configure policy profile 21 name "Printer" pvid-status "enable" pvid 1040
configure policy profile 22 name "VoIP" pvid-status "enable" pvid 32
configure policy profile 23 name "Access Point" pvid-status "enable" pvid 4095 untagged-vlans 1308
configure policy profile 24 name "CCTV"
configure policy rule 2 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 2 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 2 ipdestsocket 10.243.9.1:0 mask 48 drop
configure policy rule 2 ipdestsocket 10.243.40.11 mask 32 drop
configure policy rule 2 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 2 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 2 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 2 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 2 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 2 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 2 ipdestsocket 10.245.21.0 mask 28 forward
configure policy rule 2 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 2 ipdestsocket 10.245.65.0 mask 24 drop
configure policy rule 2 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 2 ipdestsocket 192.168.134.0 mask 24 forward
configure policy rule 2 tcpdestportIP 80 mask 16 forward
configure policy rule 2 tcpdestportIP 443 mask 16 forward
configure policy rule 2 ipproto 1 mask 8 drop
configure policy rule 2 ipdestsocket 10.243.40.1:0-65535 mask 64 drop
configure policy rule 3 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 3 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 3 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 3 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 3 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 3 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 3 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 3 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 3 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 3 tcpdestportIP 80 mask 16 forward
configure policy rule 3 tcpdestportIP 443 mask 16 forward
configure policy rule 4 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 4 ipdestsocket 10.243.9.1:0 mask 48 drop
configure policy rule 4 ipdestsocket 10.243.40.11 mask 32 drop
configure policy rule 4 ipproto 1 mask 8 drop
configure policy rule 4 ipdestsocket 10.243.40.1:0-65535 mask 64 drop
configure policy rule 5 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 5 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 5 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 5 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 5 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 5 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 5 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 5 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 5 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 5 ipdestsocket 192.168.135.0 mask 24 forward
configure policy rule 5 tcpdestportIP 80 mask 16 forward
configure policy rule 5 tcpdestportIP 443 mask 16 forward
configure policy rule 6 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 6 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 6 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 6 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 6 ipdestsocket 10.244.21.160 mask 28 forward
configure policy rule 6 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 6 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 6 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 6 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 6 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 6 tcpdestportIP 80 mask 16 forward
configure policy rule 6 tcpdestportIP 443 mask 16 forward
configure policy rule 7 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 7 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 7 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 7 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 7 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 7 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 7 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 7 ipdestsocket 10.245.21.32 mask 28 forward
configure policy rule 7 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 7 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 7 tcpdestportIP 80 mask 16 forward
configure policy rule 7 tcpdestportIP 443 mask 16 forward
configure policy rule 8 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 8 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 8 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 8 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 8 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 8 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 8 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 8 ipdestsocket 10.245.21.48 mask 28 forward
configure policy rule 8 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 8 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 8 ipdestsocket 192.168.121.0 mask 24 forward
configure policy rule 8 tcpdestportIP 80 mask 16 forward
configure policy rule 8 tcpdestportIP 443 mask 16 forward
configure policy rule 9 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 9 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 9 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 9 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 9 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 9 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 9 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 9 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 9 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 9 ipdestsocket 192.168.143.0 mask 24 forward
configure policy rule 9 tcpdestportIP 80 mask 16 forward
configure policy rule 9 tcpdestportIP 443 mask 16 forward
configure policy rule 11 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 11 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 11 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 11 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 11 ipdestsocket 10.244.21.16 mask 28 forward
configure policy rule 11 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 11 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 11 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 11 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 11 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 11 ipdestsocket 192.168.138.0 mask 24 forward
configure policy rule 11 tcpdestportIP 80 mask 16 forward
configure policy rule 11 tcpdestportIP 443 mask 16 forward
configure policy rule 12 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 12 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 12 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 12 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 12 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 12 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 12 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 12 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 12 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 12 tcpdestportIP 80 mask 16 forward
configure policy rule 12 tcpdestportIP 443 mask 16 forward
configure policy rule 13 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 13 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 13 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 14 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 14 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 14 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 14 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 14 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 16 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 16 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 16 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 16 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 16 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 16 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 16 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 16 ipdestsocket 10.245.21.112 mask 28 forward
configure policy rule 16 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 16 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 16 tcpdestportIP 80 mask 16 forward
configure policy rule 16 tcpdestportIP 443 mask 16 forward
configure policy rule 17 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 17 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 17 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 17 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 17 ipdestsocket 10.244.21.32 mask 28 forward
configure policy rule 17 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 17 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 17 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 17 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 17 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 17 ipdestsocket 192.168.150.0 mask 24 forward
configure policy rule 17 tcpdestportIP 80 mask 16 forward
configure policy rule 17 tcpdestportIP 443 mask 16 forward
configure policy rule 18 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 18 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 18 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 18 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 18 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 18 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 18 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 18 ipdestsocket 10.245.21.128 mask 28 forward
configure policy rule 18 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 18 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 18 ipdestsocket 192.168.165.0 mask 25 forward
configure policy rule 18 tcpdestportIP 80 mask 16 forward
configure policy rule 18 tcpdestportIP 443 mask 16 forward
configure policy rule 19 ipdestsocket 10.243.40.11 mask 32 drop
configure policy vlanauthorization enable
enable policy

 

 

Emre_Kurtman
Extreme Employee

Hi Marcin,

 

Have you checked “show netlogin session ports port-number” output to confirm whether the Policy is applied to the end-system after successful authentication?

 

Please also send the output of “show configuration policy” from the switch.

 

Thanks,

Emre Kurtman Technical Marketing Engineer / Extreme Networks
GTM-P2G8KFN