4-28
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter4 Common Scenarios Usin g ACS
ACS and Cisco Security Group Access
Initially, the matrix contains the cell for the unknown source and unknown destination SG. Unknown
refers to the preconfigured SG, which is not modifiable. When you add an SG, ACS adds a new row and
new column to the matrix with empty content for the newly added cell.
To add an Egress policy and populate the Egress matrix:
Step1 Choose Access Policies > Security Group Access Control > Egress Policy.
The Egress matrix is visible. The security groups appear in the order in which you defined them.
Step2 Click on a cell and then click Edit.
Step3 Fill in the fields as required.
Step4 Select the set of SGACLs to apply to the cell and move the selected set to the Selected column.
The ACLS are used at the Egress point of the SGT of the source and destination that match the
coordinates of the cell. The SGACLs are applied in the order in which they appear.
Step5 Use the Up and Down arrows to change the order. The device applies the policies in the order in which
they are configured. The SGACL are applied to packets for the selected security groups.
Step6 Click Submit.
Creating a Default Policy
After you configure the Egress policies for the source and destination SG in the Egress matrix, Cisco
recommends that you configure the Default Egress Policy. The default policy refers to devices that have
not been assigned an SGT. The default policy is added by the network devices to the specific policies
defined in the cells. The initial setting for the default policy is Permit Al l.
The term default policy refers to the ANY security group to A NY security group policy. Security Group
Access network devices concatenate the default policy to the end of the specific cell policy.
If the cell is blank, only the default policy is applied. If the cell contains a policy, the resultant policy is
the combination of the cell-specific policy which precedes the default policy.
The way the specific cell policy and the default policy are combined depends on th e algorithm running
on the device. The result is the same as concatenating the two policies.
The packet is analyzed first to see if it matches the ACEs defined by the SGACLs of the cell. If there is
no match, the packet falls through to be matched by the ACEs of the default policy.
Combining the cell-specific policy and the default policy is done not by ACS, but by the Security Group
Access network device. From the ACS perspective, the cell-specific and the default policy are two
separate sets of SGACLs, which are sent to devices in response to two separate policy queries.
To create a default policy:
Step1 Choose Access Policies > Security Group Access Control > Egress Policy then choose Default Policy.
Step2 Fill in the fields as in the Default Policy for Egress Policy page.
Step3 Click Submit.