Manuals / IBM / Computer Equipment / Network Card

IBM Tivoli and Cisco manual

Models: Tivoli and Cisco

1 516
Download 516 pages 58.69 Kb
Page 312
Image 312

access-list 140 deny ip any 192.168.11.0 0.0.0.255 access-list 140 deny ip any 192.168.12.0 0.0.0.255 access-list 140 deny ip any 192.168.13.0 0.0.0.255 access-list 140 deny ip any 192.168.15.0 0.0.0.255 access-list 140 permit tcp any any eq www access-list 140 permit tcp any any eq domain access-list 140 deny ip any any

!

access-list 150 remark **Default Quarantine VLAN ACLs** access-list 150 deny ip any 192.168.11.0 0.0.0.255 access-list 150 deny ip any 192.168.12.0 0.0.0.255 access-list 150 deny ip any 192.168.13.0 0.0.0.255 access-list 150 deny ip any 192.168.14.0 0.0.0.255 access-list 150 permit udp any eq bootpc any eq bootps access-list 150 permit tcp any any eq www access-list 150 permit tcp any any eq domain access-list 150 deny ip any any

Note: When you enable AAA for IEEE 802.1x, it is automatically enabled for all lines and interfaces. Unless some other method of line authentication is enabled for console, aux or tty, the username and password for IEEE 802.1x must be used. If you use the command aaa authentication login default none, no authentication is required for login. Unless you specify a local

username/password combination, or have some other method of local authentication enabled, you will be locked out of the console when you exit.

The reasoning behind these ACLs is as follows:

￿Healthy

If you are in either of the healthy VLANs, you should not be able to communicate with anything that is in any of the quarantine VLANs, but you should have full access to the rest of the network.

￿Quarantine

a.If you are in either the sales or engineering Quarantine VLAN, you will need access to a DHCP server to get an IP address.

b.You should be able to ping the Security Compliance Manager and Tivoli Configuration Manager to test communication to them to ensure that this is not the reason that you are in quarantine.

c.Allowing full IP connectivity to these two servers allows for a new policy to be downloaded from the Security Compliance Manager or a remediation workflow to occur from the Tivoli Configuration Manager.

d.You should not be able to communicate with any other host outside of the respective quarantine VLAN that you are in, other than the Security Compliance Manager and Tivoli Configuration Manager. We did, however,

294Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 311 Page 313
Page 312
Image 312
IBM Tivoli and Cisco manual
Page 311 Page 313