From: Brent K. <Bre...@na...> - 2011-06-30 16:00:43
|
I missed something really important (initial DHCP broadcast) and added another out of preference (being able to ping the PacketFence server for troubleshooting): ip access-list extended pf_isolation 10 permit ip host pf_host any 15 permit icmp any host pf_host 20 permit tcp any host pf_host eq www 30 permit tcp any host pf_host eq 443 40 permit udp any host pf_host eq domain 45 permit udp any host 255.255.255.255 eq bootps 50 permit udp any host pf_host eq bootps It is applied via: vlan access-map Isolation 10 action forward match ip address pf_isolation vlan filter Isolation vlan-list isolation_VLAN This seems to work as intended. I cannot access isolated hosts from one another but can get DHCP address and access the violation page. While this will have to be maintained on all switches, it seems to be the most straightforward solution. Brent |