Re: Switch ACL help

rschwart · ‎09-25-2018

First we currently use ACL's to control user access to the network prior to the being postured by CiscO ISE. We recently added a new web based services, that needs access prior to the endpoint being postured, that need access to AWS and Azure. With the WLCs we can now use the urls in the ACL, but not switches. Has anybody have a solution/workaround for this?

Thanks

Roger

balaji.bandi · ‎09-25-2018

So are you Looking ACL to allow / block in Switches ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rschwart · ‎09-26-2018

Sorry I wasn't clear. I need to allow access to Azure and AWS servers through an ACL that limits the endpoint because it is not compliant, and has limited network access. Our new cloud based solutions are using url information not ip's. Has anyone run across this. We are preloading the software but to complete the install, the endpoint has to reach out to the AWS cloud and register.

rschwart · ‎09-26-2018

here is my acl, I need to allow access to the AWS servers and Azure servers. Thank for your help

permit udp any host 172.X.X.X eq 53
permit ip any host 172.X.X.X
remark 172.X.X.X is tdo for automount in Dentistry
permit ip any host 172.X.X.X.
remark 172.X.X.X. is orthotrac for automount in Dentistry
permit ip any host 172.X.X.X
permit ip any host 172.X.X.X.
remark is sccm servers
permit ip any host 172.X.X.X
remark 172.X.X.X. is volshare for automount
permit ip any 172.X.X.X. 0.0.0.3
permit ip any 172.X.X.X 0.0.0.7
permit ip any host 172.X.X.X
remark allow access to isilon servers (172.X.X.X.-X)
permit ip any host 172.X.X.X
remark 172.X.X.X is digit for automount
permit ip any host 172.X.X.X
remark 172.X.X.X is parkit for automount
permit ip any host 172.X.X.X
permit ip any host 172.X.X.X
remark 172.X.X.X and 172.X.X.X are ise
permit ip any host 172.X.X.X
remark 172.X.X.X is sophos
permit tcp any host 128.X.X.X eq 80
permit tcp any host 128.1X.X.X eq 443
remark 128.X.X.X is www.uthsc.edu/nac and /antivirus
permit ip any host 128.X.X.X
permit ip any host 128.X.X.X
permit ip any host 128.X.X.X
remark 128.X.X.X-X are domain controllers
permit tcp any 178.X.X.X 0.0.0.255 eq www
remark 178.X.X.X is comodoca.com
permit udp any eq bootpc any eq bootps
remark Trend Micro Policy Server 128.X.X.X
permit tcp any host 128.X.X.X eq 8080
remark jamf is 172.X.X.X
permit ip any host 172.X.X.X
remark jamfdev server is 172.X.X.X
permit ip any host 172.X.X.X
permit icmp any any
permit tcp any any eq 54443
remark allow to dell driver updates
permit ip any host 143.X.X.X

paul driver · ‎09-26-2018

Hello

where is this applied? To what interface on the switch(s)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎09-25-2018

Hello

So what are you asking?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎09-26-2018

Hello

Humm.. Still not that really clear?
Can you post your current acl's that your are using

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

rschwart · ‎11-29-2018

This issue has been resolved.The vendor uses a specific port for this issue. So we allow devices to connect via this port in the Pre-Auth ACL.

Thanks for the input.