Cisco Cisco NAC Appliance 4.1.0
9-2
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 9 Local Traffic Control Policies
Local vs. Global Traffic Policies
Alternatively, a traffic control policy can block traffic to a particular machine or limit users to particular
activities, such as email use or web browsing. Examples of policies are:
activities, such as email use or web browsing. Examples of policies are:
deny access to the computer at 191.111.11.1
, or
allow www communication from computers on subnet 191.111.5/24
Finally, traffic control policies are hierarchical, and the order of the policy in the policy list affects how
traffic is filtered. The first policy at the top of the list has the highest priority. The following examples
illustrate how priorities work for Untrusted->Trusted traffic control policies.
traffic is filtered. The first policy at the top of the list has the highest priority. The following examples
illustrate how priorities work for Untrusted->Trusted traffic control policies.
Example 1:
•
Priority 1: Deny Telnet
•
Priority 2: Allow All
Result: Only Telnet traffic is blocked and all other traffic is permitted.
Example 2 (priorities reversed):
•
Priority 1: Allow All
•
Priority 2: Deny Telnet
Result: All traffic is allowed, and the second policy blocking Telnet traffic is ignored.
Example 3:
1.
Allow TCP *.* 10.10.10.1/255.255.255.255
2.
Block TCP *.* 10.10.10.0/255.255.255.0
Result: Allow TCP access to 10.10.10.1 while blocking TCP access to everything else in the subnet
(10.10.10.*).
(10.10.10.*).
Local vs. Global Traffic Policies
Most traffic control policies are set globally for all Clean Access Servers using the Clean Access
Manager global forms. By adding local traffic policies in individual Clean Access Servers, you can
specialize filtering for the network managed by that CAS by extending policies defined globally.
Manager global forms. By adding local traffic policies in individual Clean Access Servers, you can
specialize filtering for the network managed by that CAS by extending policies defined globally.
This chapter describes the local traffic control policies configured on a CAS under Device Management
> CCA Servers > Manage [CAS_IP] > Filter > Roles.
> CCA Servers > Manage [CAS_IP] > Filter > Roles.
Note that global policies appear with yellow background while local policies appear with white
background in the local list of traffic policies. To delete a policy, use the global or local form you used
to create it.
background in the local list of traffic policies. To delete a policy, use the global or local form you used
to create it.
Global policies can only be accessed and modified from the User Management > User Roles > Traffic
Control global forms. For details, see the Cisco NAC Appliance - Clean Access Manager Installation
and Administration Guide.
Control global forms. For details, see the Cisco NAC Appliance - Clean Access Manager Installation
and Administration Guide.
Note
A local traffic control policy for a CAS takes precedence over a global policy for all Clean Access
Servers if the local policy has a higher priority.
Servers if the local policy has a higher priority.