07-06-2009 05:51 AM - edited 02-21-2020 03:33 AM
so we have a NAC in our lab, set up as L3 OOB....we have a vlan set up for internet only access..a route map is configured on the CORE to send the internet only traffic back to the NAC for restrictions (to mimic the inband solution)......in our unauthenticated role policy, we set up the access list on a vlan to only access the internet and block internal address...the weird thing is, the access list on the NAC works on any internal addresses, but when the pc pings/telnets the CORE itself (and any mgnt ip addresses) it works?????....anybody know the reason why...im sure a workaroud is to put an acl on the CORE itself to block that...
Hope my drawing is enough to assist.....
CORE--------l3 switch--------pc
|
|
|
NAC
07-16-2009 11:37 AM
That's a great idea - the ACL on the management interfaces of the devices.
Is the ACL for the unauthenticated role on the L3 switch or the Core?
I would guess it is on the L3 switch, since it is likely the default gateway for that unauth vlan.
peter
07-17-2009 04:31 AM
on the L3 switch...yeah, it is the default gw for the unauth vlan...
but do u know why the policy manager on the CAM doesnt enforce when the client reaches any ip addresses on the core or l3 switch?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide