I missed something really important (initial DHCP broadcast) and added another
out of preference (being able to ping the PacketFence server for
troubleshooting):
ip access-list extended pf_isolation
10 permit ip host pf_host any
15 permit icmp any host pf_host
20 permit tcp any host pf_host eq www
30 permit tcp any host pf_host eq 443
40 permit udp any host pf_host eq domain
45 permit udp any host 255.255.255.255 eq bootps
50 permit udp any host pf_host eq bootps
It is applied via:
vlan access-map Isolation 10
action forward
match ip address pf_isolation
vlan filter Isolation vlan-list isolation_VLAN
This seems to work as intended. I cannot access isolated hosts from one
another but can get DHCP address and access the violation page.
While this will have to be maintained on all switches, it seems to be the most
straightforward solution.
Brent
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
