Cisco Systems OL-24201-01 manual Creating a Default Policy

Chapter 4 Common Scenarios Using ACS

ACS and Cisco Security Group Access

The first row (topmost) of the matrix contains the column headers, which display the destination SGT. The first column (far left) contains the row titles, with the source SG displayed. At the intersection of these axes lies the origin cell (top left) that contains the titles of the axes, namely, Destination and Source.

All other cells are internal matrix cells that contain the defined SGACL. The rows and columns are ordered alphabetically according to the SGT names. Each SGACL can contain 200 ACEs.

Initially, the matrix contains the cell for the unknown source and unknown destination SG. Unknown refers to the preconfigured SG, which is not modifiable. When you add an SG, ACS adds a new row and new column to the matrix with empty content for the newly added cell.

To add an Egress policy and populate the Egress matrix:

Step 1 Choose Access Policies > Security Group Access Control > Egress Policy.

The Egress matrix is visible. The security groups appear in the order in which you defined them.

Step 2 Click on a cell and then click Edit.

Step 3 Fill in the fields as required.

Step 4 Select the set of SGACLs to apply to the cell and move the selected set to the Selected column.

The ACLS are used at the Egress point of the SGT of the source and destination that match the coordinates of the cell. The SGACLs are applied in the order in which they appear.

Step 5 Use the Up and Down arrows to change the order. The device applies the policies in the order in which they are configured. The SGACL are applied to packets for the selected security groups.

Step 6 Click Submit.

Creating a Default Policy

After you configure the Egress policies for the source and destination SG in the Egress matrix, Cisco recommends that you configure the Default Egress Policy. The default policy refers to devices that have not been assigned an SGT. The default policy is added by the network devices to the specific policies defined in the cells. The initial setting for the default policy is Permit All.

The term default policy refers to the ANY security group to ANY security group policy. Security Group Access network devices concatenate the default policy to the end of the specific cell policy.

If the cell is blank, only the default policy is applied. If the cell contains a policy, the resultant policy is the combination of the cell-specific policy which precedes the default policy.

The way the specific cell policy and the default policy are combined depends on the algorithm running on the device. The result is the same as concatenating the two policies.

The packet is analyzed first to see if it matches the ACEs defined by the SGACLs of the cell. If there is no match, the packet falls through to be matched by the ACEs of the default policy.

Combining the cell-specific policy and the default policy is done not by ACS, but by the Security Group Access network device. From the ACS perspective, the cell-specific and the default policy are two separate sets of SGACLs, which are sent to devices in response to two separate policy queries.