Traffic control policies let you control what network resources can be accessed, and which users can
access them. Traffic control policies are configured by user role, and must be configured for Clean
Access Agent Temporary and quarantine roles.

Cisco NAC Appliance offers two types of traffic policies: IP-based policies, and host-based policies.
IP-based policies are fine-grained and flexible and can stop traffic in any number of ways. IP-based
policies are intended for any role and allow you to specify IP protocol numbers as well as source and
destination port numbers. For example, you can create an IP-based policy to pass through IPSec traffic
to a particular host while denying all other traffic.

Host-based policies are less flexible than IP-based policies, but have the advantage of allowing traffic
policies to be specified by host name or domain name when a host has multiple or dynamic IP addresses.
Host-based policies are intended to facilitate traffic policy configuration for Clean Access Agent
Temporary and quarantine roles and should be used for cases where the IP address for a host is
continuously changing or if a host name can resolve to multiple IPs.

Traffic control policies are directional. IP-based policies can allow or block traffic moving from the
untrusted (managed) to the trusted network, or from the trusted to the untrusted network. Host-based
policies allow traffic from the untrusted network to the specified host and trusted DNS server specified.
When you create a new user role, it has the following default IP-based traffic control policies:

•

All traffic from the untrusted network to the trusted network is blocked.

•

All traffic from the trusted network to the untrusted network is allowed.

Since all traffic from the untrusted network is initially blocked, after creating a role you typically must
create policies for permitting traffic as appropriate for the role.