Procedure 5 - Configure Local Access Control Lists.

Certain functions on the switch require the use of locally configured access control lists (ACLs), such as URL redirection.

Some of these ACLs you create will be used immediately, and some may not be used until a much later phase of your deployment. The goal of this section is to prepare the switches for all possible deployment models at one time, and limit the operational expense of repeated switch configuration.

Step 1
Add the following ACL to be used on switchports in Monitor Mode:

  • C3750X(config)#ip access-list ext ACL-ALLOW
  • C3750X(config-ext-nacl)#permit ip any any
Step 2
Add the following ACL to be used on switchports in Low-Impact and Closed Modes:

  • C3750X(config)#ip access-list ext ACL-DEFAULT
  • C3750X(config-ext-nacl)#remark DHCP
  • C3750X(config-ext-nacl)#permit udp any eq bootpc any eq bootps
  • C3750X(config-ext-nacl)#remark DNS
  • C3750X(config-ext-nacl)#permit udp any any eq domain
  • C3750X(config-ext-nacl)#remark Ping
  • C3750X(config-ext-nacl)#permit icmp any any
  • C3750X(config-ext-nacl)#remark PXE / TFTP
  • C3750X(config-ext-nacl)#permit udp any any eq tftp
  • C3750X(config-ext-nacl)#remark Drop all the rest
  • C3750X(config-ext-nacl)#deny ip any any log
Step 3
Add the following ACL to be used for URL redirection with web authentication:

  • C3750X(config)#ip access-list ext ACL-WEBAUTH-REDIRECT
  • C3750X(config-ext-nacl)#remark explicitly deny DNS from being redirected to address a bug
  • C3750X(config-ext-nacl)#deny udp any any eq 53
  • C3750X(config-ext-nacl)#remark redirect all applicable traffic to the ISE Server
  • C3750X(config-ext-nacl)#permit tcp any any eq 80
  • C3750X(config-ext-nacl)#permit tcp any any eq 443
  • C3750X(config-ext-nacl)#remark all other traffic will be implicitly denied from the redirection
Step 4
Add the following ACL to be used for URL redirection with the posture agent:

  • C3750X(config)#ip access-list ext ACL-AGENT-REDIRECT
  • C3750X(config-ext-nacl)#remark explicitly deny DNS from being redirected to address a bug
  • C3750X(config-ext-nacl)#deny udp any any eq 53
  • C3750X(config-ext-nacl)#remark redirect HTTP traffic only
  • C3750X(config-ext-nacl)#permit tcp any any eq 80
  • C3750X(config-ext-nacl)#remark all other traffic will be implicitly denied from the redirection

Previous page
« Procedure 4 - Configure The Switch To Allow Profiling To / From Cisco ISE.

Next page
Procedure 6 - Configure The Global 802.1X Commands »