Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA @ Simultaneous data flux through multiple interfaces : BLOCK

Greetings,

Guys, I need some help with CSA. My client has the following scenario on it's remote assets:

- Every remote asset have 4 IP interfaces through which the employee is able to connect to networks: Wired, Wi-Fi(a/b/g), 3G via USB and Bluetooth. Being the 3G and BT through their BlackBerry smartphones.

- The user may use only 1 interface at a time, exclusively. Having the wired intf the top priority.

I've tried setting a few rules in order to get that behaviour:

1) Trigger: System State > Intf Wired active(custom set set to monitor the Wired intf only).

Rule: Network Access Control > Block traffic through all other intfs but the Wired.

2) Trigger: System State > Intf Wi-Fi active(custom set set to monitor the Wi-Fi intf only).

Rule: Network Access Control > Block traffic through all other intfs but the Wi-Fi.

And the 3rd and 4th rules are the same but regards the 3G and BT intfs.

The thing is that it won't work as fast and as precise as I need it. It takes way too long before the blocking actually starts happening and the end-user doesn't see that he's actually using just one intf. For instance, if he's connected via the Wired intf, if he turns the Wi-Fi Radio on, he will get the available networks listed and even get an IP address through DHCP by that intf.

Is there any way I can make these blocking more stable and precise? I wish I could make a rule that actually disables the adapter itself, as it would be seen in the OS, for instance in Windows, the red x would be marked upon the Wi-Fi adapter if the Wired adapter is already in use.

Any thoughts?

Thanks in advance!

Att, Dan

1 REPLY

Re: CSA @ Simultaneous data flux through multiple interfaces : B

Sorry, csa does not control interface up/down, only filters. Why not just use the require vpn module that is already in the csamc, it will block incoming/most outgoing traffic on all interfaces, until either it can reach the csamc or the dns suffix matches the company dns.

113
Views
0
Helpful
1
Replies