Support User Manuals

IBM Tivoli and Cisco Network Card User Manual

Open as PDF

of 516

294 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

access-list 140 deny ip any 192.168.11.0 0.0.0.255

access-list 140 deny ip any 192.168.12.0 0.0.0.255

access-list 140 deny ip any 192.168.13.0 0.0.0.255

access-list 140 deny ip any 192.168.15.0 0.0.0.255

access-list 140 permit tcp any any eq www

access-list 140 permit tcp any any eq domain

access-list 140 deny ip any any

!

access-list 150 remark **Default Quarantine VLAN ACLs**

access-list 150 deny ip any 192.168.11.0 0.0.0.255

access-list 150 deny ip any 192.168.12.0 0.0.0.255

access-list 150 deny ip any 192.168.13.0 0.0.0.255

access-list 150 deny ip any 192.168.14.0 0.0.0.255

access-list 150 permit udp any eq bootpc any eq bootps

access-list 150 permit tcp any any eq www

access-list 150 permit tcp any any eq domain

access-list 150 deny ip any any

The reasoning behind these ACLs is as follows:

 Healthy

If you are in either of the healthy VLANs, you should not be able to

communicate with anything that is in any of the quarantine VLANs, but you

should have full access to the rest of the network.

 Quarantine

a. If you are in either the sales or engineering Quarantine VLAN, you will

need access to a DHCP server to get an IP address.

b. You should be able to ping the Security Compliance Manager and Tivoli

Configuration Manager to test communication to them to ensure that this

is not the reason that you are in quarantine.

c. Allowing full IP connectivity to these two servers allows for a new policy to

be downloaded from the Security Compliance Manager or a remediation

workflow to occur from the Tivoli Configuration Manager.

d. You should not be able to communicate with any other host outside of the

respective quarantine VLAN that you are in, other than the Security

Compliance Manager and Tivoli Configuration Manager. We did, however,

Note: When you enable AAA for IEEE 802.1x, it is automatically enabled for

all lines and interfaces. Unless some other method of line authentication is

enabled for console, aux or tty, the username and password for IEEE 802.1x

must be used. If you use the command aaa authentication login default

none, no authentication is required for login. Unless you specify a local

username/password combination, or have some other method of local

authentication enabled, you will be

locked out of the console when you exit.

previous next