Extreme Networks Sentriant AG Software User's Manual page 163

Table 8: Troubleshooting Quarantined Endpoints (continued)
Enforcement Mode
DHCP mode Network
enforcement
NOTES:
• (*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the
endpoint no real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you
there.
• (**) Allowing access to the Internet is up to the customer, but is necessary for access to any IP addresses in
Accessible services (System configuration>>Cluster setting defaults area>>Accessible services).
Sentriant AG Software Users Guide, Version 5.2
How endpoints are quarantined and
redirected to Sentriant AG
DHCP server (Sentriant AG) gives the
endpoint:
• Quarantine range IP address
• Appropriate netmask for
quarantine subnet
• Appropriate default gateway
• Sentriant AG server's IP as DNS
server (will resolve everything
except Accessible services to the
Sentriant AG IP address)
• The switch is configured with
additional IP helper addresses to
forward broadcast DHCP requests
to ESs as well as production
DHCP servers.
Switches must be configured for
multinetting (multinetting segment) so
there can be two networks on the
same physical device (or devices)
that cohabitate, but they should not
be able to talk to one another as
enforced by the switch (using ACLs).
Each port on the switch will be
allowed to be on either the
production or quarantine network,
and the switch will have a secondary
IP address assigned to the gateway
port (so there will be different
gateway IP addresses for the
production and quarantine networks).
Endpoint Activity
How quarantined endpoints reach
accessible devices
Sentriant AG (fake root) DNS—As
in endpoint enforcement (for access
to names in Accessible services). The
DNS server forwards requests for
accessible services to a real DHCP
server for resolution.
ACLs on the switch prevent
quarantined systems from talking to
production systems, but allow for the
following specific traffic:
• Quarantine --> Sentriant AG (OK)
• Production --> Quarantine (OK)
• Quarantine -|-> Production (NO)
• Quarantine -?-> Internet
(Maybe*)
163