Cisco Cisco Prime Network Services Controller 3.2 Installation Guide
Task 6—Configuring Access Policies
Access policies prevent unauthorized access to resources. For example, ACL policies specify the criteria that enable or deny access
to a tenant and its resources.
to a tenant and its resources.
For more information, see the following topics:
•
Access Policy Best Practices, on page 37
•
Configuring an ACL Policy, on page 37
Access Policy Best Practices
Keep the following best practices in mind when configuring access policies:
• Identify, on paper, the services that you want to allow and the source of the service.
• Use objects groups whenever possible. That is, create logical groups of IP addresses, protocols, services, or ICMP types and
refer to these groups in your access lists.
• Apply the ACL on the interface closest to the source of the traffic.
• Put the ACLs that are matched more frequently before those matched less frequently. The sooner a matching rule is found, the
sooner the next packet can be handled.
• Organize your access list so that more specific references in a network or subnet appear before those that are more general.
• Include a deny ip any any rule implicitly at the end of any access list.
• Use ACLs and inspections for access control instead of relying on the lack of a NAT rule to prevent traffic.
In Prime Network Services Controller you can have up to eight instances of a single attribute in an ACL
rule or vZone. If there are more than eight instances specified, the configuration will fail when it is applied
to a VSG.
rule or vZone. If there are more than eight instances specified, the configuration will fail when it is applied
to a VSG.
Note
For information on NAT best practices, see
.
Configuring an ACL Policy
You can define criteria for ACL policies for the following attributes:
• Source conditions
• Destination conditions
• Service
• Protocol
• EtherType
• Time ranges or frequency
37