Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
2
Replies

NAC access list question

mrSS
Level 1
Level 1

‎07-06-2009 05:51 AM - edited ‎02-21-2020 03:33 AM

so we have a NAC in our lab, set up as L3 OOB....we have a vlan set up for internet only access..a route map is configured on the CORE to send the internet only traffic back to the NAC for restrictions (to mimic the inband solution)......in our unauthenticated role policy, we set up the access list on a vlan to only access the internet and block internal address...the weird thing is, the access list on the NAC works on any internal addresses, but when the pc pings/telnets the CORE itself (and any mgnt ip addresses) it works?????....anybody know the reason why...im sure a workaroud is to put an acl on the CORE itself to block that...

Hope my drawing is enough to assist.....

CORE--------l3 switch--------pc

|

|

|

NAC

0 Helpful
2 Replies 2

pcomeaux
Cisco Employee
Cisco Employee

‎07-16-2009 11:37 AM

That's a great idea - the ACL on the management interfaces of the devices.

Is the ACL for the unauthenticated role on the L3 switch or the Core?

I would guess it is on the L3 switch, since it is likely the default gateway for that unauth vlan.

peter

0 Helpful

mrSS
Level 1
Level 1
In response to pcomeaux

‎07-17-2009 04:31 AM

on the L3 switch...yeah, it is the default gw for the unauth vlan...

but do u know why the policy manager on the CAM doesnt enforce when the client reaches any ip addresses on the core or l3 switch?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card