System IPv6 Device Access Policy Feature
The control plane of Cisco WAN Edge devices process the data traffic for local services like, SSH and SNMP, from a set of sources. It is important to protect the CPU from device access traffic by applying the filter to avoid malicious traffic.
Device access policy defines the rules that traffic must meet to reach the control plane.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”system_profiles (sdwan.feature_profiles)
Section titled “system_profiles (sdwan.feature_profiles)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ipv6_device_access_policy | Class | [ipv6_device_access_policy] | No |
ipv6_device_access_policy (sdwan.feature_profiles.system_profiles)
Section titled “ipv6_device_access_policy (sdwan.feature_profiles.system_profiles)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[^&<>! "]{1,128}$ | No | ipv6_device_access_policy |
| description | String | No | ||
| default_action | Choice | accept, drop | Yes | |
| sequences | List | [sequences] | No |
sequences (sdwan.feature_profiles.system_profiles.ipv6_device_access_policy)
Section titled “sequences (sdwan.feature_profiles.system_profiles.ipv6_device_access_policy)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| id | Integer | min: 1, max: 65536 | Yes | |
| name | String | min: 1, max: 19 | No | acl |
| base_action | Choice | accept, drop | Yes | |
| match_entries | Class | [match_entries] | Yes |
match_entries (sdwan.feature_profiles.system_profiles.ipv6_device_access_policy.sequences)
Section titled “match_entries (sdwan.feature_profiles.system_profiles.ipv6_device_access_policy.sequences)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| destination_data_prefix_list | String | min: 1, max: 64 | No | |
| destination_data_prefixes | List | IP | No | |
| destination_port | Choice | 22, 161 | Yes | |
| source_data_prefix_list | String | min: 1, max: 64 | No | |
| source_data_prefixes | List | IP | No | |
| source_ports | List | Integer[min: 0, max: 65535] | No |
Examples
Section titled “Examples”The example shows how to configure IPv6 device access policy that allows SSH traffic (port 22) with source IP from “jumpservers” prefix-list, source ports either 1000 or 2001. The rest of the management traffic is dropped with default action drop statement.
sdwan: feature_profiles: system_profiles: - name: system ipv6_device_access_policy: name: ipv6_device_access_policy description: basic ipv6 device access policy default_action: drop sequences: - id: 1 base_action: accept match_entries: source_data_prefix_list: jumpservers source_ports: - 1000 - 2001 destination_port: 22