Security

Reply
MVP
Posts: 371
Registered: ‎01-14-2010

Cisco Switch Downloadable ACL example and troubleshooting

All,

 

I'm trying to put together a quarantine VLAN that does the following:

 

  1. I want to allow DHCP
  2. I want to allow DNS
  3. I want to allow traffic to three Clearpass IPs so the OnGuard client can communicate a posture change to a healthy status
  4. I want to block traffic to two of their internal subnets 
  5. The last line will allow Internet access in the mean time

Here's ideally what this would look like as an enforcement policy being sent as a Cisco-IP-Downloadable-ACL (185):

 

permit udp any eq bootpc any eq bootps

permit udp any eq domain

permit ip any 10.10.100.70 0.0.0.0

permit ip any 10.10.100.69 0.0.0.0

permit ip any 10.10.100.68 0.0.0.0

deny ip any 192.168.0.0 0.0.255.255

deny ip any 10.0.0.0 0.0.0.255

permit ip any any

 

Unfortunately, I can't get the above to work correctly. I'm able to do the following Cisco-IP-Downloadable-ACL (185):

 

deny ip any 192.168.0.0 0.0.255.255

deny ip any 10.0.0.0 0.0.0.255

permit ip any 10.10.100.70 0.0.0.0

permit ip any 10.10.100.69 0.0.0.0

permit ip any 10.10.100.68 0.0.0.0

permit ip any any

 

The strange thing is that I'm still able to access http resources and ping in the 10/8 subnet, even with the above. Here's the switch details:

 

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(54)SG1, RELEASE SOFTWARE (fc1)

 

Any help would definitely be appreciated – thanks!

 

-Mike

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Cisco Switch Downloadable ACL example and troubleshooting

Mike,

 

Here is an example of my onguard and my guest it might give you a starting point. Ill try to replicate what your doing and see if I can come up with what you need.

 

 deny   tcp any host 10.60.1.xxx                                                                                                         
 deny   tcp any host 10.60.2.xxx                                                                                             
 permit tcp any any  
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 23
permit tcp any any eq 25
permit tcp any any eq 110
permit tcp any any eq 587
permit tcp any any eq 21
permit tcp any any eq 20

 

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bb1929.shtml

 

 

 

dacl.png

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 371
Registered: ‎01-14-2010

Re: Cisco Switch Downloadable ACL example and troubleshooting

Troy,

 

As always, super helpful! I'll give the below a try tomorrow afternoon and update this thread.

 

permit 

MVP
Posts: 371
Registered: ‎01-14-2010

Re: Cisco Switch Downloadable ACL example and troubleshooting

Troy,

 

I also was just shown that I jacked up the wildcard mask on the /8... which explains why some of the IPs in that range were working. That line should read:

 

deny ip any 10.0.0.0 0.255.255.255

 

Thanks!

 

-Mike

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Cisco Switch Downloadable ACL example and troubleshooting

Nice catch,

Let me know how it turns out.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 371
Registered: ‎01-14-2010

Re: Cisco Switch Downloadable ACL example and troubleshooting

Hi Troy,

 

I was able to get the following working:

 

permit udp any host 10.10.100.22
permit udp any host 10.10.100.25
permit ip any host 10.10.100.70
permit ip any host 10.10.100.69
permit ip any host 10.10.100.68
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
permit ip any any

 

I wasn't able to get any of the "eq" commands working on the switch. The UDP packets referenced in the first two lines will work for DHCP and DNS. Granted, it's not as granular as I would like, but it's definitely a start.

 

Btw, do you know if it's possible to send an ACL name to a Cisco switch, similar how you can send a filter ID to a Juniper switch? It might be a better idea to just send an ACL name to the switch and then get granular at that level. I haven't set that up before and was wondering if you had?

 

Thanks!

 

-Mike

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Cisco Switch Downloadable ACL example and troubleshooting

Yes you can send a named. Here is an example where Im calling a named acl with a url redirect.

 

acl.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Cisco Switch Downloadable ACL example and troubleshooting

there is also a beginners guide here.

http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=10344
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 371
Registered: ‎01-14-2010

Re: Cisco Switch Downloadable ACL example and troubleshooting

Hi Troy,

 

Thanks for passing along that link, if others on the forum haven't seen it. I think your example of a real-world dACL example should be included in that guide. I've been using that guide to setup Cisco switches with Clearpass without issue. It's the dACL portion that is definitely lacking.

 

Thanks for the help!

 

-Mike

Search Airheads
Showing results for 
Search instead for 
Did you mean: