Hi Brent,
Glad everything is working, it may be also a good idea to restrict the
registration VLAN the same way. I created a FAQ entry on our website
with that information. I am sure a lot of people will be interested
about that "feature".
Also I am wandering if this is available with other vendors such HP,
Extreme Networks, etc. Maybe some mailing list user can share their
thoughts.
On 11-06-30 12:00 PM, Brent Knotts wrote:
I missed something really important (initial DHCP broadcast) and added
another out of preference (being able to ping the PacketFence server
for troubleshooting):
ip access-list extended pf_isolation
10 permit ip host /pf_host/ any
*15 permit icmp any host /pf_host /*
20 permit tcp any host /pf_host/ eq www
30 permit tcp any host /pf_host/ eq 443
40 permit udp any host /pf_host/ eq domain
*45 permit udp any host 255.255.255.255 eq bootps*
50 permit udp any host /pf_host/ eq bootps
It is applied via:
vlan access-map Isolation 10
action forward
match ip address pf_isolation
vlan filter Isolation vlan-list /isolation_VLAN/
This seems to work as intended. I cannot access isolated hosts from
one another but can get DHCP address and access the violation page.
While this will have to be maintained on all switches, it seems to be
the most straightforward solution.
Brent
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
