Solved: DNA Center low impact mode contract

Stuart Patton · ‎11-13-2023

Hi,

In DNA Center 2.3.3.7, I want to amend the ACL/contract that is the IPV4_PRE_AUTH_ACL for Low Impact mode to add another protocol/port. When I click "Add Contract Action" I only get the option of bootpc, bootps or domain. Are these options fixed? This particular ACL/contract is not under policy -> group-based access control because it's nothing to do with SGT, so am I missing something here?

Incidentally, I'm trying to get an acceptable solution to allow PXE booting (and it's TFTP that I want to add to the ACL/contract) without resorting to no auth/open auth on the ports. The reason this is needed is because normal dot1x timer on a closed mode port is too long - by the time the port has completed MAB the client has given up.

If anyone has alternative solutions, I'd be grateful.

Thanks,

Stuart

rahbhard · ‎12-06-2023

Hi Stuart,

That is correct, currently only the three protocols mentioned (67, 68, 53) are limited to amend on IPV4_PRE_AUTH_ACL for Low Impact mode. You can add custom ACEs to authentication ACL using Day-N templates.

Regards,

Rahul Bhardwaj

View solution in original post

rahbhard · ‎12-06-2023

Hi Stuart,

That is correct, currently only the three protocols mentioned (67, 68, 53) are limited to amend on IPV4_PRE_AUTH_ACL for Low Impact mode. You can add custom ACEs to authentication ACL using Day-N templates.

Regards,

Rahul Bhardwaj