Filter
Top Products
4-28
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
ACS and Cisco Security Group Access
The first row (topmost) of the matrix contains the column headers, which display the destination SGT.
The first column (far left) contains the row titles, with the source SG displayed. At the intersection of
these axes lies the origin cell (top left) that contains the titles of the axes, namely, Destination and
Source.
All other cells are internal matrix cells that contain the defined SGACL. The rows and columns are
ordered alphabetically according to the SGT names. Each SGACL can contain 200 ACEs.
Initially, the matrix contains the cell for the unknown source and unknown destination SG. Unknown
refers to the preconfigured SG, which is not modifiable. When you add an SG, ACS adds a new row and
new column to the matrix with empty content for the newly added cell.
To add an Egress policy and populate the Egress matrix:
Step 1 Choose Access Policies > Security Group Access Control > Egress Policy.
The Egress matrix is visible. The security groups appear in the order in which you defined them.
Step 2 Click on a cell and then click Edit.
Step 3 Fill in the fields as required.
Step 4 Select the set of SGACLs to apply to the cell and move the selected set to the Selected column.
The ACLS are used at the Egress point of the SGT of the source and destination that match the
coordinates of the cell. The SGACLs are applied in the order in which they appear.
Step 5 Use the Up and Down arrows to change the order. The device applies the policies in the order in which
they are configured. The SGACL are applied to packets for the selected security groups.
Step 6 Click Submit.
Creating a Default Policy
After you configure the Egress policies for the source and destination SG in the Egress matrix, Cisco
recommends that you configure the Default Egress Policy. The default policy refers to devices that have
not been assigned an SGT. The default policy is added by the network devices to the specific policies
defined in the cells. The initial setting for the default policy is Permit All.
The term default policy refers to the ANY security group to ANY security group policy. Security Group
Access network devices concatenate the default policy to the end of the specific cell policy.
If the cell is blank, only the default policy is applied. If the cell contains a policy, the resultant policy is
the combination of the cell-specific policy which precedes the default policy.
The way the specific cell policy and the default policy are combined depends on the algorithm running
on the device. The result is the same as concatenating the two policies.
The packet is analyzed first to see if it matches the ACEs defined by the SGACLs of the cell. If there is
no match, the packet falls through to be matched by the ACEs of the default policy.
Combining the cell-specific policy and the default policy is done not by ACS, but by the Security Group
Access network device. From the ACS perspective, the cell-specific and the default policy are two
separate sets of SGACLs, which are sent to devices in response to two separate policy queries.