On 27/10/13 9:35 PM, "Marki" <[email protected]> wrote: >Hawkins, Michael Stephen <hawkins <at> email.unc.edu> writes: >> This will work on any Enterasys switch properly setup for NAC. > >So what exact policy would the NAC apply to a C-Series switch in that >case? > >If using "set policy rule 6 macsource 00-12-34-00-00-00 mask 24 vlan X" >does >not work on C-Series, how would using the NAC make this work nevertheless? >Would it simply connect to the switch and issue a "set port vlan ..." or >how >do I have to imagine this?
What you need is MAC authentication enabled on the C3, which will then query NAC over RADIUS, NAC will match the MAC address against a rule and send back a policy that maps it to vlan X. The S/N/K switches can do this without having authentication enabled on the port, and they can then apply arbitrary policies to that traffic, e.g. I have one that drops port 5353 (mDNS) from our Apple TVs at the core: set policy profile 14 name "Apple TV Block" set policy rule admin-profile macsource 7c-d1-c3-00-00-00 mask 24 admin-pid 14 set policy rule admin-profile macsource 9c-20-7b-00-00-00 mask 24 admin-pid 14 set policy rule 14 udpsourceportIP 5353 mask 16 drop set policy rule 14 udpdestportIP 5353 mask 16 drop Whereas B/C/G can only apply a policy to all of the traffic from that MAC address. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
