Extreme NAC - Service rule deny destination IP on switch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-08-2021 08:26 AM
Hello all,
We have some troubles with NAC configuration on our x440 switches. We’ve created service rule that deny traffic to some destination subnet. Let’s say 10.0.0.0/24, but when client is connected directly to the switch (via ethernet connection) rule doesn’t work! On WiFi everything works completely fine.
Command “show policy capabilities” issue on switch shows us that IP Destination Subnet is supported on this device.
Does anyone know how to resolve this problem?
Thanks in advance,
Marcin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-10-2021 07:11 AM
Hi Tomasz,
Yes and no. When I’m connected via cable to switch connection to 8.8.8.8 is still passing thru. When I’m connected to WLC [which is part of the same domain, and it’s connected to the same Access Control Engine] the traffic is blocked.
Version of the switch is: 30.7.2.1.
BR,
Marcin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-09-2021 02:51 PM
Hi Marcin,
Just one thing to confirm, as you are also trying to deny 8.8.8.8. Does that one work at least perhaps?
What is the fw version on the switch by the way?
Kind regards,
Tomasz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-08-2021 10:43 AM
Hi Emre,
This is output from “sh netlogin session ports” on port that I’m connected:
And here is output from sh configuration policy. I only paste here part that is related to policy “MGMT”:
configure policy profile 1 name "Deny ALL" pvid-status "enable" pvid 0
configure policy profile 2 name "Facebook" pvid-status "enable" pvid 134
configure policy profile 3 name "TOMTOM" pvid 322
configure policy profile 4 name "MGMT" pvid-status "enable" pvid 1065 untagged-vlans 1065
configure policy profile 5 name "PREH" pvid-status "enable" pvid 135
configure policy profile 6 name "ARM" untagged-vlans 32
configure policy profile 7 name "DYSON" untagged-vlans 32
configure policy profile 8 name "APTIV" pvid-status "enable" pvid 124
configure policy profile 9 name "FLIR" pvid 143
configure policy profile 10 name "Permit local"
configure policy profile 11 name "VO" pvid-status "enable" pvid 138
configure policy profile 12 name "Panasonic" pvid 129
configure policy profile 13 name "Captive Portal Redirect" pvid-status "enable" pvid 1065
configure policy profile 14 name "Unregistered" pvid-status "enable" pvid 4095
configure policy profile 15 name "Guest" pvid-status "enable" pvid 1079
configure policy profile 16 name "ASA" untagged-vlans 32
configure policy profile 17 name "BMW" pvid-status "enable" pvid 150
configure policy profile 18 name "Cobham" pvid-status "enable" pvid 165
configure policy profile 19 name "General" pvid-status "enable" pvid 32 untagged-vlans 32
configure policy profile 20 name "TMO" pvid-status "enable" pvid 32 untagged-vlans 32
configure policy profile 21 name "Printer" pvid-status "enable" pvid 1040
configure policy profile 22 name "VoIP" pvid-status "enable" pvid 32
configure policy profile 23 name "Access Point" pvid-status "enable" pvid 4095 untagged-vlans 1308
configure policy profile 24 name "CCTV"
configure policy rule 2 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 2 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 2 ipdestsocket 10.243.9.1:0 mask 48 drop
configure policy rule 2 ipdestsocket 10.243.40.11 mask 32 drop
configure policy rule 2 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 2 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 2 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 2 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 2 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 2 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 2 ipdestsocket 10.245.21.0 mask 28 forward
configure policy rule 2 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 2 ipdestsocket 10.245.65.0 mask 24 drop
configure policy rule 2 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 2 ipdestsocket 192.168.134.0 mask 24 forward
configure policy rule 2 tcpdestportIP 80 mask 16 forward
configure policy rule 2 tcpdestportIP 443 mask 16 forward
configure policy rule 2 ipproto 1 mask 8 drop
configure policy rule 2 ipdestsocket 10.243.40.1:0-65535 mask 64 drop
configure policy rule 3 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 3 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 3 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 3 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 3 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 3 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 3 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 3 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 3 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 3 tcpdestportIP 80 mask 16 forward
configure policy rule 3 tcpdestportIP 443 mask 16 forward
configure policy rule 4 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 4 ipdestsocket 10.243.9.1:0 mask 48 drop
configure policy rule 4 ipdestsocket 10.243.40.11 mask 32 drop
configure policy rule 4 ipproto 1 mask 8 drop
configure policy rule 4 ipdestsocket 10.243.40.1:0-65535 mask 64 drop
configure policy rule 5 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 5 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 5 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 5 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 5 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 5 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 5 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 5 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 5 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 5 ipdestsocket 192.168.135.0 mask 24 forward
configure policy rule 5 tcpdestportIP 80 mask 16 forward
configure policy rule 5 tcpdestportIP 443 mask 16 forward
configure policy rule 6 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 6 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 6 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 6 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 6 ipdestsocket 10.244.21.160 mask 28 forward
configure policy rule 6 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 6 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 6 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 6 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 6 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 6 tcpdestportIP 80 mask 16 forward
configure policy rule 6 tcpdestportIP 443 mask 16 forward
configure policy rule 7 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 7 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 7 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 7 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 7 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 7 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 7 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 7 ipdestsocket 10.245.21.32 mask 28 forward
configure policy rule 7 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 7 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 7 tcpdestportIP 80 mask 16 forward
configure policy rule 7 tcpdestportIP 443 mask 16 forward
configure policy rule 8 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 8 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 8 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 8 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 8 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 8 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 8 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 8 ipdestsocket 10.245.21.48 mask 28 forward
configure policy rule 8 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 8 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 8 ipdestsocket 192.168.121.0 mask 24 forward
configure policy rule 8 tcpdestportIP 80 mask 16 forward
configure policy rule 8 tcpdestportIP 443 mask 16 forward
configure policy rule 9 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 9 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 9 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 9 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 9 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 9 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 9 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 9 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 9 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 9 ipdestsocket 192.168.143.0 mask 24 forward
configure policy rule 9 tcpdestportIP 80 mask 16 forward
configure policy rule 9 tcpdestportIP 443 mask 16 forward
configure policy rule 11 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 11 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 11 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 11 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 11 ipdestsocket 10.244.21.16 mask 28 forward
configure policy rule 11 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 11 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 11 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 11 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 11 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 11 ipdestsocket 192.168.138.0 mask 24 forward
configure policy rule 11 tcpdestportIP 80 mask 16 forward
configure policy rule 11 tcpdestportIP 443 mask 16 forward
configure policy rule 12 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 12 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 12 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 12 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 12 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 12 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 12 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 12 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 12 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 12 tcpdestportIP 80 mask 16 forward
configure policy rule 12 tcpdestportIP 443 mask 16 forward
configure policy rule 13 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 13 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 13 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 14 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 14 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 14 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 14 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 14 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 16 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 16 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 16 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 16 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 16 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 16 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 16 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 16 ipdestsocket 10.245.21.112 mask 28 forward
configure policy rule 16 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 16 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 16 tcpdestportIP 80 mask 16 forward
configure policy rule 16 tcpdestportIP 443 mask 16 forward
configure policy rule 17 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 17 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 17 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 17 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 17 ipdestsocket 10.244.21.32 mask 28 forward
configure policy rule 17 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 17 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 17 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 17 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 17 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 17 ipdestsocket 192.168.150.0 mask 24 forward
configure policy rule 17 tcpdestportIP 80 mask 16 forward
configure policy rule 17 tcpdestportIP 443 mask 16 forward
configure policy rule 18 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 18 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 18 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 18 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 18 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 18 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 18 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 18 ipdestsocket 10.245.21.128 mask 28 forward
configure policy rule 18 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 18 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 18 ipdestsocket 192.168.165.0 mask 25 forward
configure policy rule 18 tcpdestportIP 80 mask 16 forward
configure policy rule 18 tcpdestportIP 443 mask 16 forward
configure policy rule 19 ipdestsocket 10.243.40.11 mask 32 drop
configure policy vlanauthorization enable
enable policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-08-2021 10:22 AM
Hi Marcin,
Have you checked “show netlogin session ports port-number” output to confirm whether the Policy is applied to the end-system after successful authentication?
Please also send the output of “show configuration policy” from the switch.
Thanks,