IPv4 Device Access Policy Definition

The control plane of Cisco WAN Edge devices process the data traffic for local services like, SSH and SNMP, from a set of sources. It is important to protect the CPU from device access traffic by applying the filter to avoid malicious traffic.

Access policies define the rules that traffic must meet to pass through an interface. The below examples define rules to identify from where ssh and snmp traffic can be allowed.

Diagram

Classes

definitions (sdwan.localized_policies)

Name	Type	Constraint	Mandatory	Default Value
ipv4_device_access_policies	List	`[ipv4_device_access_policies]`	No

ipv4_device_access_policies (sdwan.localized_policies.definitions)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	Yes
description	String		Yes
default_action	Choice	`accept`, `drop`	Yes
sequences	List	`[sequences]`	No

sequences (sdwan.localized_policies.definitions.ipv4_device_access_policies)

Name	Type	Constraint	Mandatory
id	Integer	min: `1`, max: `65534`	Yes
name	String		No
base_action	Choice	`accept`, `drop`	Yes
match_criterias	Class	`[match_criterias]`	Yes
counter_name	String	min: `1`, max: `20`	No

match_criterias (sdwan.localized_policies.definitions.ipv4_device_access_policies.sequences)

Name	Type	Constraint	Mandatory
destination_data_prefix_list	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No
destination_ip_prefix	IP		No
destination_port	Choice	`22`, `161`	Yes
source_data_prefix_list	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No
source_ip_prefix	IP		No
source_ports	List	Integer[min: `0`, max: `65535`]	No

Examples

Example-1 : The below configurations define sequence 10 , 15 and 20 source addresses from which SSH can be allowed and a counter_name is associated to each sequence. Seqence 25 defines from which source addresses SNMP traffic can be allowed.The default action of drop has been configured.

sdwan:
  localized_policies:
    definitions:
      ipv4_device_access_policies:
        name: ACL-DEVICEACCESSPOLICY-01
          description: SSH and SNMP access control
          default_action: drop
          sequences:
            - id: 10
              base_action: accept
              match_criterias:
                source_ip_prefix: 10.10.0.0/16
                destination_port: 22
              counter_name: SEQ10-SSH
            - id: 15
              base_action: accept
              match_criterias:
                source_ip_prefix: 192.168.1.5/32
                destination_port: 22
              counter_name: SEQ15-SSH-VMANAGE
            - id: 20
              base_action: accept
              match_criterias:
                source_ip_prefix: 10.0.10.0/24
                destination_port: 22
              counter_name: SEQ15-SSH
            - id: 25
              base_action: accept
              match_criterias:
                source_ip_prefix: 10.0.10.0/24
                destination_port: 161
              counter_name: SEQ20-SNMP