beautypg.com

IBM Tivoli and Cisco User Manual

Page 312

background image

294

Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

access-list 140 deny ip any 192.168.11.0 0.0.0.255
access-list 140 deny ip any 192.168.12.0 0.0.0.255
access-list 140 deny ip any 192.168.13.0 0.0.0.255
access-list 140 deny ip any 192.168.15.0 0.0.0.255
access-list 140 permit tcp any any eq www
access-list 140 permit tcp any any eq domain
access-list 140 deny ip any any
!
access-list 150 remark **Default Quarantine VLAN ACLs**
access-list 150 deny ip any 192.168.11.0 0.0.0.255
access-list 150 deny ip any 192.168.12.0 0.0.0.255
access-list 150 deny ip any 192.168.13.0 0.0.0.255
access-list 150 deny ip any 192.168.14.0 0.0.0.255
access-list 150 permit udp any eq bootpc any eq bootps
access-list 150 permit tcp any any eq www
access-list 150 permit tcp any any eq domain
access-list 150 deny ip any any

The reasoning behind these ACLs is as follows:

Healthy

If you are in either of the healthy VLANs, you should not be able to
communicate with anything that is in any of the quarantine VLANs, but you
should have full access to the rest of the network.

Quarantine

a. If you are in either the sales or engineering Quarantine VLAN, you will

need access to a DHCP server to get an IP address.

b. You should be able to ping the Security Compliance Manager and Tivoli

Configuration Manager to test communication to them to ensure that this
is not the reason that you are in quarantine.

c. Allowing full IP connectivity to these two servers allows for a new policy to

be downloaded from the Security Compliance Manager or a remediation
workflow to occur from the Tivoli Configuration Manager.

d. You should not be able to communicate with any other host outside of the

respective quarantine VLAN that you are in, other than the Security
Compliance Manager and Tivoli Configuration Manager. We did, however,

Note: When you enable AAA for IEEE 802.1x, it is automatically enabled for
all lines and interfaces. Unless some other method of line authentication is
enabled for console, aux or tty, the username and password for IEEE 802.1x
must be used. If you use the command

aaa authentication login default

none

, no authentication is required for login. Unless you specify a local

username/password combination, or have some other method of local
authentication enabled, you will be

locked out of the console

when you exit.

See also other documents in the category IBM Hardware: