Cisco Layer 3 Switch Integration Script (3850/4500 SUP7-8/4500X)
This document provides scripts required to complete the installation of the NAC Solution
NAC Router Integration Script
x
conf t!flow record sc-record match ipv4 protocolmatch ipv4 source address match ipv4 destination address match transport source-portmatch transport destination-port!flow exporter sc-exporterdestination x.x.x.x (replace x.x.x.x with IP of NAC server and remove this comment)source vlan x (replace x with switch management VLAN number and remove this comment)transport udp 50001!flow monitor sc-monitor exporter sc-exporter record sc-record!ip access-list extended impulse_block permit ip any host 198.31.193.211!ip access-list extended intranet remark allow DNSpermit udp any any eq domain remark allow DHCPpermit udp any any eq bootps remark allow access to AD serverpermit ip any host x.x.x.x (Replace with IP of AD server and remove this comment)remark allow access to AV server permit ip any host x.x.x.x (Replace with IP of AV server and remove this comment)remark allow RDP access to blocked hosts permit tcp any eq 3389 any!route-map impulse deny 10match ip address intranet! route-map impulse permit 20match ip address impulse_blockset ip next-hop x.x.x.x (replace x.x.x.x with IP of NAC server and remove this comment)!vlan configuration X (Layer 2 interface(s) for any layer 3 interface with the redirect-group applied, remove this comment)ip flow monitor sc-monitor inputinterface vlan X (Layer 3 interface(s) which is/are default gateway for subnet(s) to be placed under policy – recommend a test subnet first, remove this comment)ip policy route-map impulseip helper-address x.x.x.x (replace with IP of NAC appliance and remove this comment)!end*Note – Be sure to also allow the NAC Enforcer access to the router if a VTY/SSH access-list is present on the router.
Was this page helpful?
