System IPv4 Device Access Policy Feature
The control plane of Cisco WAN Edge devices process the data traffic for local services like, SSH and SNMP, from a set of sources. It is important to protect the CPU from device access traffic by applying the filter to avoid malicious traffic.
Device access policy defines the rules that traffic must meet to reach the control plane.
Diagram
Classes
system_profiles (sdwan.feature_profiles)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ipv4_device_access_policy | Class | [ipv4_device_access_policy] | No |
ipv4_device_access_policy (sdwan.feature_profiles.system_profiles)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[^&<>! "]{1,128}$ | No | ipv4_device_access_policy |
| description | String | No | ||
| default_action | Choice | accept, drop | Yes | |
| sequences | List | [sequences] | No |
sequences (sdwan.feature_profiles.system_profiles.ipv4_device_access_policy)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| base_action | Choice | accept, drop | Yes | |
| name | String | min: 1, max: 19 | No | acl |
| match_entries | Class | [match_entries] | Yes |
match_entries (sdwan.feature_profiles.system_profiles.ipv4_device_access_policy.sequences)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| destination_data_prefix_list | String | min: 1, max: 64 | No | |
| destination_data_prefixes | List | IP | No | |
| destination_data_prefixes_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| destination_port | Choice | 22, 161 | Yes | |
| source_data_prefix_list | String | min: 1, max: 64 | No | |
| source_data_prefixes | List | IP | No | |
| source_data_prefixes_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| source_ports | List | Integer[min: 0, max: 65535] | No |
Examples
The example shows how to configure IPv4 device access policy that allows SSH traffic (port 22) with source IP from "jumpservers" prefix-list, source ports either 1000 or 2001. The rest of the management traffic is dropped with default action drop statement.
sdwan:
feature_profiles:
system_profiles:
- name: system
ipv4_device_access_policy:
name: ipv4_device_access_policy
description: basic ipv4 device access policy
default_action: drop
sequences:
- base_action: accept
match_entries:
source_data_prefix_list: jumpservers
source_ports:
- 1000
- 2001
destination_port: 22