Switch ACL Configuration

POSTURE_REDIRECT ACL

This ACL allows traffic that should bypass the redirect while permitting HTTP/HTTPS for the redirect itself:

netapi ios config \
  "ip access-list extended POSTURE_REDIRECT" \
  "10 deny udp any any eq 53" \
  "20 deny udp any any eq 67" \
  "30 deny udp any any eq 68" \
  "35 deny tcp any host 10.50.1.21 eq 443" \
  "40 deny tcp any host 10.50.1.21 eq 8443" \
  "45 deny tcp any host 10.50.1.21 eq 8905" \
  "50 permit tcp any any eq 80" \
  "60 permit tcp any any eq 443"

ACL Logic

Rule	Purpose
deny udp eq 53	Bypass DNS (essential)
deny udp eq 67/68	Bypass DHCP
deny tcp host ISE eq 443/8443/8905	Bypass ISE admin/portal/posture
permit tcp eq 80/443	Redirect HTTP/HTTPS traffic

Rule

Purpose

deny udp eq 53

Bypass DNS (essential)

deny udp eq 67/68

Bypass DHCP

deny tcp host ISE eq 443/8443/8905

Bypass ISE admin/portal/posture

permit tcp eq 80/443

Redirect HTTP/HTTPS traffic

Verification

# View ACL
netapi ios exec "show ip access-lists POSTURE_REDIRECT"

# Check session details for redirect
netapi ios exec "show access-session interface gi1/0/2 details"