Certain functions on the switch require the use of locally
configured access control lists (ACLs), such as URL
redirection.
Some of these ACLs you create will be used immediately, and some
may not be used until a much later phase of your deployment. The
goal of this section is to prepare the switches for all possible
deployment models at one time, and limit the operational expense of
repeated switch configuration.
Step
1 |
Add the following ACL
to be used on switchports in Monitor Mode:
- C3750X(config)#ip access-list ext
ACL-ALLOW
- C3750X(config-ext-nacl)#permit ip
any any
|
Step
2 |
Add the following ACL
to be used on switchports in Low-Impact and Closed Modes:
- C3750X(config)#ip access-list ext
ACL-DEFAULT
- C3750X(config-ext-nacl)#remark
DHCP
- C3750X(config-ext-nacl)#permit
udp any eq bootpc any eq bootps
- C3750X(config-ext-nacl)#remark
DNS
- C3750X(config-ext-nacl)#permit
udp any any eq domain
- C3750X(config-ext-nacl)#remark
Ping
- C3750X(config-ext-nacl)#permit
icmp any any
- C3750X(config-ext-nacl)#remark
PXE / TFTP
- C3750X(config-ext-nacl)#permit
udp any any eq tftp
- C3750X(config-ext-nacl)#remark
Drop all the rest
- C3750X(config-ext-nacl)#deny ip
any any log
|
Step
3 |
Add the following ACL
to be used for URL redirection with web authentication:
- C3750X(config)#ip access-list ext
ACL-WEBAUTH-REDIRECT
- C3750X(config-ext-nacl)#remark
explicitly deny DNS from being redirected to address a
bug
- C3750X(config-ext-nacl)#deny udp
any any eq 53
- C3750X(config-ext-nacl)#remark
redirect all applicable traffic to the ISE Server
- C3750X(config-ext-nacl)#permit
tcp any any eq 80
- C3750X(config-ext-nacl)#permit
tcp any any eq 443
- C3750X(config-ext-nacl)#remark
all other traffic will be implicitly denied from the
redirection
|
Step
4 |
Add the following ACL
to be used for URL redirection with the posture agent:
- C3750X(config)#ip access-list ext
ACL-AGENT-REDIRECT
- C3750X(config-ext-nacl)#remark
explicitly deny DNS from being redirected to address a
bug
- C3750X(config-ext-nacl)#deny udp
any any eq 53
- C3750X(config-ext-nacl)#remark
redirect HTTP traffic only
- C3750X(config-ext-nacl)#permit
tcp any any eq 80
- C3750X(config-ext-nacl)#remark
all other traffic will be implicitly denied from the
redirection
|