Security

All,

I'm trying to put together a quarantine VLAN that does the following:

1. I want to allow DHCP
2. I want to allow DNS
3. I want to allow traffic to three Clearpass IPs so the OnGuard client can communicate a posture change to a healthy status
4. I want to block traffic to two of their internal subnets 
5. The last line will allow Internet access in the mean time

Here's ideally what this would look like as an enforcement policy being sent as a Cisco-IP-Downloadable-ACL (185):

permit udp any eq bootpc any eq bootps

permit udp any eq domain

permit ip any 10.10.100.70 0.0.0.0

permit ip any 10.10.100.69 0.0.0.0

permit ip any 10.10.100.68 0.0.0.0

deny ip any 192.168.0.0 0.0.255.255

deny ip any 10.0.0.0 0.0.0.255

permit ip any any

Unfortunately, I can't get the above to work correctly. I'm able to do the following Cisco-IP-Downloadable-ACL (185):

deny ip any 192.168.0.0 0.0.255.255

deny ip any 10.0.0.0 0.0.0.255

permit ip any 10.10.100.70 0.0.0.0

permit ip any 10.10.100.69 0.0.0.0

permit ip any 10.10.100.68 0.0.0.0

permit ip any any

The strange thing is that I'm still able to access http resources and ping in the 10/8 subnet, even with the above. Here's the switch details:

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(54)SG1, RELEASE SOFTWARE (fc1)

Any help would definitely be appreciated – thanks!

-Mike

Mike,

Here is an example of my onguard and my guest it might give you a starting point. Ill try to replicate what your doing and see if I can come up with what you need.

 deny   tcp any host 10.60.1.xxx                                                                                                         
 deny   tcp any host 10.60.2.xxx                                                                                             
 permit tcp any any  

permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 23
permit tcp any any eq 25
permit tcp any any eq 110
permit tcp any any eq 587
permit tcp any any eq 21
permit tcp any any eq 20

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bb1929.shtml

Troy,

As always, super helpful! I'll give the below a try tomorrow afternoon and update this thread.

permit 

Troy,

I also was just shown that I jacked up the wildcard mask on the /8... which explains why some of the IPs in that range were working. That line should read:

deny ip any 10.0.0.0 0.255.255.255

Thanks!

-Mike

Hi Troy,

I was able to get the following working:

permit udp any host 10.10.100.22
permit udp any host 10.10.100.25
permit ip any host 10.10.100.70
permit ip any host 10.10.100.69
permit ip any host 10.10.100.68
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
permit ip any any

I wasn't able to get any of the "eq" commands working on the switch. The UDP packets referenced in the first two lines will work for DHCP and DNS. Granted, it's not as granular as I would like, but it's definitely a start.

Btw, do you know if it's possible to send an ACL name to a Cisco switch, similar how you can send a filter ID to a Juniper switch? It might be a better idea to just send an ACL name to the switch and then get granular at that level. I haven't set that up before and was wondering if you had?

Thanks!

-Mike

Yes you can send a named. Here is an example where Im calling a named acl with a url redirect.

Hi Troy,

Thanks for passing along that link, if others on the forum haven't seen it. I think your example of a real-world dACL example should be included in that guide. I've been using that guide to setup Cisco switches with Clearpass without issue. It's the dACL portion that is definitely lacking.

Thanks for the help!

-Mike