IPv4 Device Access Policy Definition
The control plane of Cisco WAN Edge devices process the data traffic for local services like, SSH and SNMP, from a set of sources. It is important to protect the CPU from device access traffic by applying the filter to avoid malicious traffic.
Access policies define the rules that traffic must meet to pass through an interface. The below examples define rules to identify from where ssh and snmp traffic can be allowed.
Diagram
Classes
definitions (sdwan.localized_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ipv4_device_access_policies | List | [ipv4_device_access_policies] | No |
ipv4_device_access_policies (sdwan.localized_policies.definitions)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | Yes | |
| description | String | Yes | ||
| default_action | Choice | accept, drop | Yes | |
| sequences | List | [sequences] | No |
sequences (sdwan.localized_policies.definitions.ipv4_device_access_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| id | Integer | min: 1, max: 65534 | Yes | |
| name | String | No | ||
| base_action | Choice | accept, drop | Yes | |
| match_criterias | Class | [match_criterias] | Yes | |
| counter_name | String | min: 1, max: 20 | No |
match_criterias (sdwan.localized_policies.definitions.ipv4_device_access_policies.sequences)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| destination_data_prefix_list | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | No | |
| destination_ip_prefix | IP | No | ||
| destination_port | Choice | 22, 161 | Yes | |
| source_data_prefix_list | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | No | |
| source_ip_prefix | IP | No | ||
| source_ports | List | Integer[min: 0, max: 65535] | No |
Examples
Example-1 : The below configurations define sequence 10 , 15 and 20 source addresses from which SSH can be allowed and a counter_name is associated to each sequence. Seqence 25 defines from which source addresses SNMP traffic can be allowed.The default action of drop has been configured.
sdwan:
localized_policies:
definitions:
ipv4_device_access_policies:
name: ACL-DEVICEACCESSPOLICY-01
description: SSH and SNMP access control
default_action: drop
sequences:
- id: 10
base_action: accept
match_criterias:
source_ip_prefix: 10.10.0.0/16
destination_port: 22
counter_name: SEQ10-SSH
- id: 15
base_action: accept
match_criterias:
source_ip_prefix: 192.168.1.5/32
destination_port: 22
counter_name: SEQ15-SSH-VMANAGE
- id: 20
base_action: accept
match_criterias:
source_ip_prefix: 10.0.10.0/24
destination_port: 22
counter_name: SEQ15-SSH
- id: 25
base_action: accept
match_criterias:
source_ip_prefix: 10.0.10.0/24
destination_port: 161
counter_name: SEQ20-SNMP