IPv4 Device Access Policy Definition

The control plane of Cisco WAN Edge devices process the data traffic for local services like, SSH and SNMP, from a set of sources. It is important to protect the CPU from device access traffic by applying the filter to avoid malicious traffic.

Access policies define the rules that traffic must meet to pass through an interface.

Diagram

Classes

definitions (sdwan.localized_policies)

Name	Type	Constraint	Mandatory	Default Value
ipv6_device_access_policies	List	`[ipv6_device_access_policies]`	No

ipv6_device_access_policies (sdwan.localized_policies.definitions)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	Yes
description	String		Yes
default_action	Choice	`accept`, `drop`	Yes
sequences	List	`[sequences]`	No

sequences (sdwan.localized_policies.definitions.ipv6_device_access_policies)

Name	Type	Constraint	Mandatory
id	Integer	min: `1`, max: `65534`	Yes
name	String		No
base_action	Choice	`accept`, `drop`	Yes
match_criterias	Class	`[match_criterias]`	Yes
counter_name	String	min: `1`, max: `20`	No

match_criterias (sdwan.localized_policies.definitions.ipv6_device_access_policies.sequences)

Name	Type	Constraint	Mandatory
destination_data_prefix_list	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No
destination_ip_prefix	IP		No
destination_port	Choice	`22`, `161`	Yes
source_data_prefix_list	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No
source_ip_prefix	IP		No
source_ports	List	Integer[min: `0`, max: `65535`]	No

Examples

sdwan:
  localized_policies:
    definitions:
      ipv6_device_access_policies:
        - name: ACL-DEVICEACCESSPOLICY-01
          description: "SSH and SNMP access control"
          default_action: drop
          sequences:
            - id: 10
              base_action: accept
              match_criterias:
                source_ports:
                  - 1000
                  - 2001
                destination_data_prefix_list: SNMP-SERVERS
                destination_port: 161
              counter_name: SEQ10-SNMP