All,
I'm trying to put together a quarantine VLAN that does the following:
- I want to allow DHCP
- I want to allow DNS
- I want to allow traffic to three Clearpass IPs so the OnGuard client can communicate a posture change to a healthy status
- I want to block traffic to two of their internal subnets
- The last line will allow Internet access in the mean time
Here's ideally what this would look like as an enforcement policy being sent as a Cisco-IP-Downloadable-ACL (185):
permit udp any eq bootpc any eq bootps
permit udp any eq domain
permit ip any 10.10.100.70 0.0.0.0
permit ip any 10.10.100.69 0.0.0.0
permit ip any 10.10.100.68 0.0.0.0
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.0.0.255
permit ip any any
Unfortunately, I can't get the above to work correctly. I'm able to do the following Cisco-IP-Downloadable-ACL (185):
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.0.0.255
permit ip any 10.10.100.70 0.0.0.0
permit ip any 10.10.100.69 0.0.0.0
permit ip any 10.10.100.68 0.0.0.0
permit ip any any
The strange thing is that I'm still able to access http resources and ping in the 10/8 subnet, even with the above. Here's the switch details:
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(54)SG1, RELEASE SOFTWARE (fc1)
Any help would definitely be appreciated – thanks!
-Mike