Configuring SNMP Policy Enforcement through Templates using ACL/VLAN

Policy enforcement using ACLs is achieved through both SNMP and SSH. The SNMP traps are received through SNMP and ACL enforcement is done using CLI (SSH).

Template based Policy enforcement using ACL/VLAN as enforcement attribute is achieved through a combination of SNMP and SSH protocols. SNMP protocol is used to receive the traps and ACL/VLAN enforcement is performed using CLI via SSH protocol.

Pre-requisites

The user must be logged in with highest privilege level for ACL/VLAN enforcement using SSH.
ACLs should be configured either manually on the Switch or pushed from 182 through ACL creation.
Default templates are available for Cisco, Juniper and HP. For other Switch models/vendors the admin can create new template. See Creating Template or using Existing Template.
Enable SNMP diagnostic logging to capture the CLIs sent to the Switch.

Creating Template or using Existing Template

Template is required to specify the CLI format for each vendor. Admin can upload/download the templates which will be in pre-defined format. Using the template, CLIs are formed to enforce the ACL/VLAN on to the interface.

To view and add the templates:

Select Endpoint Policy > Network Access > Network Infrastructure Device > Templates.
Cisco, Juniper, HP, HP 3com, Dell, Alcatel-Lucent, Arista and Huawei switch templates are available by default.
Admin can also choose to create a new template. Click New Template.
Enter the template name.
Enter the description.
Click Browse and upload the created template file.
Click Save Changes.

(Optional) Creating an ACL

The Admin can configure ACL in 2 ways:

Logging into the Switch console and creating the ACLs manually. Ensure that the configured ACL name is same while creating the SNMP client and policy in IPS.
Creating the ACLs on IPS, which will push the ACLs to the switches belonging to the corresponding Location Group.

Creating an ACL in IPS is not applicable if Enforcement attribute is VLAN.

To create an ACL on IPS:

Select Endpoint Policy > Network Access > ACL.
Click New ACL.
Enter the Name
Enter the ACL number.
Set the Location Group.
Under ACL Rules:
- Specify the Protocol.
- Enter the Destination IP address
- Enter the Destination Port
- Specify the action as either permit or deny.
- Click Add.
Click Save Changes.

- Admin can login to the Switch and verify if the ACL is properly configured. ACL name is prefixed with IPS- to distinguish between the ACLs created manually and the one’s pushed from IPS.
- ACL name modification is not allowed.
- When deleting an ACL from IPS ensure that it is not applied on any interface or port. Otherwise, deletion of ACL will not succeed on the Switch.
- ACL configured from IPS should not be modified manually.
- ACL number has to be chosen based on the Switch configuration guide. This is required only for the Switches, which create ACLs using ACL number as the key. Ensure that the configured ACL number is not used on the Switch. Currently, ACL number is mandatory only for HP-3com (H3C) switches.
- Alcatel-Lucent Switch (Omni-Switch) doesn't support ACL configuration on the interface. Hence, ACL enforcement is not supported for Alcatel-Lucent Switch (Omni-Switch).

Adding SNMP Client

To add a client using ACL enforcement:

Select Endpoint Policy > Network Access > Network Infrastructure Device.
Click New.
Enter the name of the client that will be added in the IPS.
Enter the description.
Enter the IP address of the client.
Under Enforcement, select ACL Enforcement.
ACL enforcement is supported for all Switches supporting SSH.
Select the Location Group.
Select default ACL from the drop down.
Select the Custom option and enter the ACL name if the ACL is configured manually on the Switch.
Select the template corresponding to the selected vendor.
Under SSH settings:
- Specify the Authentication Method.
- Enter the user name, password and port number if authentication method is Password OR
- Enter the user name, key and pass-phrase if the authentication method is Public Key.
Under SNMP settings, specify the SNMP version.
Specify the Read username, Read Security Level, Auth Protocol, and Auth Password.
Click Save Changes.

Admin can select both VLAN and ACL enforcement for an SNMP client.

To add a client using VLAN enforcement:

Select Endpoint Policy > Network Access > Network Infrastructure Device.
Click New.
Enter the name of the client that will be added in the IPS.
Enter the description.
Enter the IP address of the client.
Under Enforcement, select VLAN Enforcement.
VLAN enforcement using SSH is supported on all Switches except HP and Cisco.
Select the Location Group.
Enter the default VLAN number.
Select the template corresponding to the selected vendor.
Under SSH settings:
- Specify the Authentication Method.
- Enter the user name, password and port number if authentication method is Password OR
- Enter the user name, key and pass-phrase if the authentication method is Public Key.
Under SNMP settings, specify the SNMP version.
Specify the Read username, Read Security Level, Auth Protocol, and Auth Password.
Click Save Changes.

SNMP Enforcement Policies

To create SNMP Enforcement policies:

Select Endpoint Policy > Network Access > SNMP Enforcement Policies
Click New Policy.
Enter the policy name.
Enter the Description.
Select the Location Group.
Select the ACL from the drop down.
Select the Custom option and enter the ACL name if the ACL is configured directly on the Switch.
Under Roles, specify:
- Policy applies to ALL roles-To apply the policy to all users.
- Policy applies to SELECTED roles-To apply this policy only to users who are mapped to roles in the Selected roles list. You must add roles to this list from the Available roles list.
- Policy applies to all roles OTHER THAN those selected below-To apply this policy to all users except for those who map to the roles in the Selected roles list. You must add roles to this list from the Available roles list.
Click Save changes.

Either VLAN and/or ACL must be configured in the SNMP policy.