You have to deny to allow…..what?

ACLs on a switch are pretty straight forward. You want to only allow access to TCP port 80 and block everything else?

permit tcp any any eq 80
deny ip any any

Easy to read and understand. Allow access to any server via port 80 and then block everything else. What a lot of my customers get confused on are redirect ACLs on a switch. These URLs are used for wired guest access, wired BYOD, and posture assessment. What causes confusion is how they operate. They don’t work by just allowing or denying traffic across the network. They are actually telling the switch what traffic to redirect to the redirect URL that is assigned to a session based on the authorization profile.

Lets look at a typical redirect ACL on a switch.

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

At first glance, customers think “I don’t want unknown devices full access to the Internet or to any servers on my network via ports 80 and 443”. That’s the catch. This isn’t a standard ACL. It’s a redirect ACL. What those lines above do is tell the switch to redirect any traffic on TCP ports 80 and 443 to the redirect URL that was assigned to the session. The final line is telling the switch to ignore any other traffic (e.g. don’t redirect it).

This is why it is critical to mix in a downloadable ACL (or proper TrustSec settings) to work along with the redirect ACL. Since the redirect ACL is going to let all other traffic pass, the dACL will be used to only allow specific access. A standard dACL I use for customers that are only doing guest access but no posture assessment would be something like this:

permit udp any any eq 53
permit udp any eq bootpc eq bootps
permit tcp any eq 8443
permit tcp any eq 8443
deny ip any any

This dACL does the following:

  1. Allow DNS queries.
  2. Allow DHCP.
  3. Allow access to the 1st ISE PSN on port 8443 (standard guest port).
  4. Allow access to the 2nd ISE PSN on port 8443.
  5. Deny all other traffic.

The dACL will be hit after the local redirect ACL. So when a client hits an auth rule for guest redirection, the full traffic analysis will be:

  1. Traffic checked against the redirect ACL.
    • Redirect any traffic on port 80 to the redirect URL (guest portal on the PSN).
    • Redirect any traffic on port 443 to the redirect URL (guest portal on the PSN).
    • Allow all other traffic through.
  2. Traffic checked against the dACL.
    • Allow DNS.
    • Allow DHCP.
    • Allow access to the guest portal on the 1st ISE PSN.
    • Allow access to the guest portal on the 2nd ISE PSN.
    • Deny/drop all other traffic.

Also keep in mind that ACLs/dACLs on a switch are stateful. You don’t have to specifically allow the return traffic as replies to allowed egress traffic is automatically allowed.

Share this post:

Leave a Reply

Your email address will not be published. Required fields are marked *