For us, each vlan is a /22. In vlans where the swithes are in the same subnet, we reserve the first 100 IPs for these devices. We then create a filter under Filters > Subnets for these devices. We use either a /26 or /27 subnet depending on how many of the reserved IPs are in use. We call this role Switch Management with the following traffic controls:

Allow	TCP  	*:23  	*:*
Allow 	TCP 	*:22 	*:*
Allow 	UDP 	*:161 	*:*
Allow 	ICMP(ALL) 	* 	* (we usually disable this unless for some reason we need to ping the devices)
Allow 	TCP 	*:80 	*:* (we usually disable this unless for some reason we need to http to the devices aps, print servers etc.)
Block 	ALL

Hope this helps,

Simon


>>> [log in to unmask] 9/1/2005 8:37 AM >>>
Dear Perfigo/CCA users,

We've had a very successful rollout of CleanAccess 3.5.4 at Heidelberg 
College this fall.  I hope one of you can help with an odd "side-effect" 
that I hope to resolve....

We have Cisco 3550 switches in the Res Halls, and they each have an IP 
address in the same VLAN as the student residents.  Once we turn over 
control of that VLAN to the CleanAccess server, we can no longer 
ping/telnet/browse to those edge switches from anywhere outside the managed 
VLAN.

Cisco TAC suggested that I add those switches' IP addresses to the CCA 
Manager via CCA.Servers>>Filters>>Subnets with a /32 mask and "Allow" which 
I have done.  This sounds like it should work, but there is no change in 
behavior.

How are you addressing your edge devices so they can still be seen/managed 
from the core or elsewhere on your network?

Thanks, in advance, for your suggestions.

Kurt

____________________________________________________
Kurt E. Huenemann '83
Assoc. Director of Information Technology
Asst. Professor of Computer Science
Heidelberg College
310 East Market Street
Tiffin, OH 44883

Internet: [log in to unmask] 
Fax:      419-448-2176
Voice:    419-448-2351
____________________________________________________