Specifications
802.1x Solution Cookbook 243
Chapter 11
netdestination district-network
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
Student Policy
The policy below prevents students from using telnet, POP3, FTP, SMTP,
SNMP, or SSH to the wired portion of the network. Telnet, FTP, SNMP, and
SSH are used by the IT staff to maintain network devices, but are not
permitted for other classes of users. POP3 and SMTP are permitted for faculty
and staff members to access email. All students use Microsoft Exchange to
access email.
ip access-list session student
user alias district-network svc-telnet deny
user alias district-network svc-pop3 deny
user alias district-network svc-ftp deny
user alias district-network svc-smtp deny
user alias district-network svc-snmp deny
user alias district-network svc-ssh deny
Faculty Policy
The faculty policy is similar to the student policy above in restricting use of
maintenance protocols to the internal network. However, faculty members are
allowed the use of POP3 and SMTP. Faculty laptops have email clients
configured to use these protocols as they were deemed more efficient than
the Exchange protocol when laptops were taken home and used with VPN
remote access. Students did not have this same requirement, since they are
not permitted to use VPN remote access.
ip access-list session faculty
user alias district-network svc-telnet deny
user alias district-network svc-ftp deny
user alias district-network svc-snmp deny
user alias district-network svc-ssh deny
Allow All Policy
The following policy allows unrestricted access to any network. This policy is
used for members of the IT staff.
ip access-list session allowall
any any any permit