ExtremeControl

 Extreme NAC - Service rule deny destination IP on switch

NieeBieeski's profile image
NieeBieeski posted 09-08-2021 08:26

Hello all,

 

We have some troubles with NAC configuration on our x440 switches. We’ve created service rule that deny traffic to some destination subnet. Let’s say 10.0.0.0/24, but when client is connected directly to the switch (via ethernet connection) rule doesn’t work! On WiFi everything works completely fine. 

 

Command “show policy capabilities” issue on switch shows us that IP Destination Subnet is supported on this device. 

 

Does anyone know how to resolve this problem?

 

Thanks in advance,

Marcin

Stefan K.'s profile image
Stefan K.

Hi,

is the switch part of the Policy domain?
Is there a NAC rule configured that applies the correct Role?

Regards
Stefan

NieeBieeski's profile image
NieeBieeski

Hi Stefan,

 

Yes and yes. Switch is part of the policy domain, and nac role is configured, proper service that supposed to block traffic is also added to role. 

 

Role action is contain to VLAN

Stefan K.'s profile image
Stefan K.

I’m not 100% sure if service rules are applied if you use “contain to vlan” instead of “Permit Traffic” or “Deny Traffic”. I only used one of the latter when denying access to certain subnets via service rules.

Can you maybe try to use “Permit Traffic”?

 

Can you go to Policy → Devices → Right-Click the switch and hit “Verify” to check if the policy is correctly applied?
Can you share a screenshot of the policy role?

NieeBieeski's profile image
NieeBieeski

I switch to “Permit traffic” works the same as contain to vlan. Switch is synced with domain, everything is applied, i also checked directly on the switch if rules are there, and everything looks fine. 

 

Here is policy role, it’s create for testing purposes. I’ve try to block traffic also by IPDstSocket, doesn’t work either. 

 

Kurtman, Emre's profile image
Kurtman, Emre

Hi Marcin,

 

Have you checked “show netlogin session ports port-number” output to confirm whether the Policy is applied to the end-system after successful authentication?

 

Please also send the output of “show configuration policy” from the switch.

 

Thanks,

NieeBieeski's profile image
NieeBieeski

Hi Emre,

 

This is output from “sh netlogin session ports” on port that I’m connected:

 

 

And here is output from sh configuration policy. I only paste here part that is related to policy “MGMT”:

configure policy profile 1 name "Deny ALL" pvid-status "enable" pvid 0
configure policy profile 2 name "Facebook" pvid-status "enable" pvid 134
configure policy profile 3 name "TOMTOM" pvid 322
configure policy profile 4 name "MGMT" pvid-status "enable" pvid 1065 untagged-vlans 1065
configure policy profile 5 name "PREH" pvid-status "enable" pvid 135
configure policy profile 6 name "ARM" untagged-vlans 32
configure policy profile 7 name "DYSON" untagged-vlans 32
configure policy profile 8 name "APTIV" pvid-status "enable" pvid 124
configure policy profile 9 name "FLIR" pvid 143
configure policy profile 10 name "Permit local"
configure policy profile 11 name "VO" pvid-status "enable" pvid 138
configure policy profile 12 name "Panasonic" pvid 129
configure policy profile 13 name "Captive Portal Redirect" pvid-status "enable" pvid 1065
configure policy profile 14 name "Unregistered" pvid-status "enable" pvid 4095
configure policy profile 15 name "Guest" pvid-status "enable" pvid 1079
configure policy profile 16 name "ASA" untagged-vlans 32
configure policy profile 17 name "BMW" pvid-status "enable" pvid 150
configure policy profile 18 name "Cobham" pvid-status "enable" pvid 165
configure policy profile 19 name "General" pvid-status "enable" pvid 32 untagged-vlans 32
configure policy profile 20 name "TMO" pvid-status "enable" pvid 32 untagged-vlans 32
configure policy profile 21 name "Printer" pvid-status "enable" pvid 1040
configure policy profile 22 name "VoIP" pvid-status "enable" pvid 32
configure policy profile 23 name "Access Point" pvid-status "enable" pvid 4095 untagged-vlans 1308
configure policy profile 24 name "CCTV"
configure policy rule 2 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 2 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 2 ipdestsocket 10.243.9.1:0 mask 48 drop
configure policy rule 2 ipdestsocket 10.243.40.11 mask 32 drop
configure policy rule 2 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 2 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 2 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 2 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 2 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 2 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 2 ipdestsocket 10.245.21.0 mask 28 forward
configure policy rule 2 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 2 ipdestsocket 10.245.65.0 mask 24 drop
configure policy rule 2 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 2 ipdestsocket 192.168.134.0 mask 24 forward
configure policy rule 2 tcpdestportIP 80 mask 16 forward
configure policy rule 2 tcpdestportIP 443 mask 16 forward
configure policy rule 2 ipproto 1 mask 8 drop
configure policy rule 2 ipdestsocket 10.243.40.1:0-65535 mask 64 drop
configure policy rule 3 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 3 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 3 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 3 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 3 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 3 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 3 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 3 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 3 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 3 tcpdestportIP 80 mask 16 forward
configure policy rule 3 tcpdestportIP 443 mask 16 forward
configure policy rule 4 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 4 ipdestsocket 10.243.9.1:0 mask 48 drop
configure policy rule 4 ipdestsocket 10.243.40.11 mask 32 drop
configure policy rule 4 ipproto 1 mask 8 drop
configure policy rule 4 ipdestsocket 10.243.40.1:0-65535 mask 64 drop
configure policy rule 5 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 5 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 5 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 5 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 5 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 5 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 5 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 5 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 5 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 5 ipdestsocket 192.168.135.0 mask 24 forward
configure policy rule 5 tcpdestportIP 80 mask 16 forward
configure policy rule 5 tcpdestportIP 443 mask 16 forward
configure policy rule 6 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 6 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 6 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 6 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 6 ipdestsocket 10.244.21.160 mask 28 forward
configure policy rule 6 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 6 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 6 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 6 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 6 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 6 tcpdestportIP 80 mask 16 forward
configure policy rule 6 tcpdestportIP 443 mask 16 forward
configure policy rule 7 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 7 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 7 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 7 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 7 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 7 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 7 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 7 ipdestsocket 10.245.21.32 mask 28 forward
configure policy rule 7 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 7 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 7 tcpdestportIP 80 mask 16 forward
configure policy rule 7 tcpdestportIP 443 mask 16 forward
configure policy rule 8 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 8 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 8 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 8 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 8 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 8 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 8 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 8 ipdestsocket 10.245.21.48 mask 28 forward
configure policy rule 8 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 8 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 8 ipdestsocket 192.168.121.0 mask 24 forward
configure policy rule 8 tcpdestportIP 80 mask 16 forward
configure policy rule 8 tcpdestportIP 443 mask 16 forward
configure policy rule 9 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 9 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 9 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 9 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 9 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 9 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 9 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 9 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 9 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 9 ipdestsocket 192.168.143.0 mask 24 forward
configure policy rule 9 tcpdestportIP 80 mask 16 forward
configure policy rule 9 tcpdestportIP 443 mask 16 forward
configure policy rule 11 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 11 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 11 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 11 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 11 ipdestsocket 10.244.21.16 mask 28 forward
configure policy rule 11 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 11 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 11 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 11 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 11 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 11 ipdestsocket 192.168.138.0 mask 24 forward
configure policy rule 11 tcpdestportIP 80 mask 16 forward
configure policy rule 11 tcpdestportIP 443 mask 16 forward
configure policy rule 12 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 12 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 12 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 12 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 12 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 12 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 12 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 12 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 12 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 12 tcpdestportIP 80 mask 16 forward
configure policy rule 12 tcpdestportIP 443 mask 16 forward
configure policy rule 13 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 13 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 13 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 14 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 14 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 14 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 14 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 14 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 16 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 16 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 16 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 16 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 16 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 16 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 16 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 16 ipdestsocket 10.245.21.112 mask 28 forward
configure policy rule 16 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 16 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 16 tcpdestportIP 80 mask 16 forward
configure policy rule 16 tcpdestportIP 443 mask 16 forward
configure policy rule 17 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 17 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 17 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 17 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 17 ipdestsocket 10.244.21.32 mask 28 forward
configure policy rule 17 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 17 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 17 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 17 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 17 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 17 ipdestsocket 192.168.150.0 mask 24 forward
configure policy rule 17 tcpdestportIP 80 mask 16 forward
configure policy rule 17 tcpdestportIP 443 mask 16 forward
configure policy rule 18 ipdestsocket 10.200.36.8 mask 30 forward
configure policy rule 18 ipdestsocket 10.244.19.10 mask 32 forward
configure policy rule 18 ipdestsocket 10.244.20.0 mask 24 forward
configure policy rule 18 ipdestsocket 10.244.20.5 mask 32 forward
configure policy rule 18 ipdestsocket 10.245.19.10 mask 32 forward
configure policy rule 18 ipdestsocket 10.245.20.0 mask 24 forward
configure policy rule 18 ipdestsocket 10.245.20.5 mask 32 forward
configure policy rule 18 ipdestsocket 10.245.21.128 mask 28 forward
configure policy rule 18 ipdestsocket 10.245.60.0 mask 24 forward
configure policy rule 18 ipdestsocket 192.168.32.0 mask 22 forward
configure policy rule 18 ipdestsocket 192.168.165.0 mask 25 forward
configure policy rule 18 tcpdestportIP 80 mask 16 forward
configure policy rule 18 tcpdestportIP 443 mask 16 forward
configure policy rule 19 ipdestsocket 10.243.40.11 mask 32 drop
configure policy vlanauthorization enable
enable policy

 

 

Tomasz's profile image
Tomasz

Hi Marcin,

 

Just one thing to confirm, as you are also trying to deny 8.8.8.8. Does that one work at least perhaps?

What is the fw version on the switch by the way?

 

Kind regards,

Tomasz

NieeBieeski's profile image
NieeBieeski

Hi Tomasz,

 

Yes and no. When I’m connected via cable to switch connection to 8.8.8.8 is still passing thru. When I’m connected to WLC [which is part of the same domain, and it’s connected to the same Access Control Engine] the traffic is blocked. 

 

Version of the switch is: 30.7.2.1.

 

BR,

Marcin