This article is only relevant if you are using Cisco Switches with VLAN access map capabilities.
One downside of the isolation and registration VLAN is that they are usually flat (not routed VLANs) with a lot of people in them. Furthermore, in the isolation VLAN, it can became a real “battle” zone where users are seeing each other and can be infected by viruses or malware from others.
In order to mitigate that problem, you can create VLAN access map on the access switches. You can then drop any traffic that does not go or come from the PacketFence registration/isolation interface. Here is a quick example how to achieve that in the isolation VLAN.
First, create your ACL to match the traffic:
ip access-list extended pf-isol
permit ip host pf_host any
permit icmp any host pf_host
permit tcp any host pf_host eq www
permit tcp any host pf_host eq 443
permit udp any host pf_host eq domain
permit udp any host 255.255.255.255 eq bootps
permit udp any host pf_host eq bootps
Secondly, apply the VLAN map:
vlan access-map Isolation 10
match ip address pf-isol
vlan filter Isolation vlan-list ISOLATION_VLANID