Cisco Cisco Clean Access 3.5
8-2
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 8 Local Traffic Control Policies
Extending Global Policies
Alternatively, a traffic control policy can block traffic to a particular machine or limit users to particular
activities, such as email use or web browsing. Examples of policies are:
activities, such as email use or web browsing. Examples of policies are:
deny access to the computer at 191.111.11.1
, or
allow www communication from computers on subnet 191.111.5/24
Finally, traffic control policies are hierarchical, and the order of the policy in the policy list affects how
traffic is filtered. The first policy at the top of the list has the highest priority. The following examples
illustrate how priorities work for Untrusted->Trusted traffic control policies.
traffic is filtered. The first policy at the top of the list has the highest priority. The following examples
illustrate how priorities work for Untrusted->Trusted traffic control policies.
Example 1:
•
Priority 1: Deny Telnet
•
Priority 2: Allow All
Result: Only Telnet traffic is blocked and all other traffic is permitted.
Example 2 (priorities reversed):
•
Priority 1: Allow All
•
Priority 2: Deny Telnet
Result: All traffic is allowed, and the second policy blocking Telnet traffic is ignored.
Example 3:
1.
Allow TCP *.* 10.10.10.1/255.255.255.255
2.
Block TCP *.* 10.10.10.0/255.255.255.0
Result: Allow TCP access to 10.10.10.1 while blocking TCP access to everything else in the subnet
(10.10.10.*).
(10.10.10.*).
Extending Global Policies
Most traffic control policies are set globally for all Clean Access Servers using the Clean Access
Manager global forms. By adding local traffic policies in individual Clean Access Servers, you can
specialize filtering for the network managed by that CAS by extending policies defined globally.
Manager global forms. By adding local traffic policies in individual Clean Access Servers, you can
specialize filtering for the network managed by that CAS by extending policies defined globally.
This chapter describes local traffic control policies configured under Device Management > CCA
Servers > Manage [CAS_IP] > Filter > Roles.
Servers > Manage [CAS_IP] > Filter > Roles.
Note that global policies appear with yellow background while local policies appear with white
background in the local list of traffic policies. To delete a policy, use the global or local form you used
to create it.
background in the local list of traffic policies. To delete a policy, use the global or local form you used
to create it.
Global policies can only be accessed and modified from the User Management > User Roles > Traffic
Control global forms. For details, see the Cisco Clean Access Manager Installation and Administration
Guide.
Control global forms. For details, see the Cisco Clean Access Manager Installation and Administration
Guide.
Note
A local traffic control policy for a CAS takes precedence over a global policy for all Clean Access
Servers if the local policy has a higher priority.
Servers if the local policy has a higher priority.