I feel like I'm missing something simple on this one...
I've got two SVI's on a single Cisco Sup720... one SVI is for the client network and the other is for the management network on which each switch has a management IP address. Each switch has a configuration for dot1x and mab. Each is also configured with an initial ACL which gets switched over to a quarantine ACL based on COA from the RADIUS server.
The quarantine ACL is set up as a url-redirect-acl which means new clients, or clients failing policy, should be redirected to the specified web page.
Unfortunately, applying PBR to the management SVI seems to break this and I'm not entirely sure why. The PBR is designed to push most traffic from the various management SVIs to our firewall but, even adding exceptions to drop the traffic out of PBR to be globally routed doesn't seem to fix this. The only thing that does seems to be to remove the PBR completely.
Here is a basic example of what I'm working with:
ip access-list extended ACL deny icmp 10.100.16.0 0.0.15.255 any deny tcp 10.100.16.0 0.0.15.255 any eq www 443 deny ip 10.100.16.0 0.0.15.255 any deny igmp any any permit ip any any route-map CORE permit 10 match ip address ACL set ip next-hop [ip] !
There are other entries in the ACL but nothing that should affect this. You can see in the ACL I've tried to add exceptions for the switch's management IP range so it breaks out of PBR and avoids an asynchronous route (client SVI is on a different VRF, however, I have route leaking set up and since the client SVI has no PBR assigned to it, it should have a direct route).
No comments:
Post a Comment