topic Re: SGACLs SGT CTS What order are the rules processed and are they stateful/stateless in Network Access Control

SGACLs SGT CTS What order are the rules processed and are they stateful/stateless

gtuthill — Mon, 11 Mar 2019 07:08:48 GMT

Could any one please confirm my following assumptions about the processing of SGACLs.

a) SGACLs on a ASA firewall are stateful and processed as normal ACL's on a per interface basis ?

b) SGACLs on IOS are processed after normal Ingress ACL'a and before Egress ACL's and are stateless ?

Thanks in advance.

Re: SGACLs SGT CTS What order are the rules processed and are they stateful/stateless

mjessup — Fri, 14 Oct 2016 18:33:06 GMT

a) The ASA Firewall does not use SGACLs. The ASA can however make use of Security Groups and SGT in policies configured at the ASA. This is known as Security Group Firewall. SGACLs are role-based policies with further granularity provided by Access Control Entries within the SGACL. These are configured at ISE and distributed to switches today and other devices such as routers in the very near future. When a policy is created at the ASA (SGFW), they are stateful.

b) SGACLs in IOS are processed at egress. If a standard ACL and an SGACL are both present, the standard ACL is processed first and then the SGACL.

Re: SGACLs SGT CTS What order are the rules processed and are they stateful/stateless

kilcreas — Fri, 14 Oct 2016 19:53:23 GMT

Yeah Mike! Thanks for responding to the community question. I was just talking with Kevin R after our team meeting about getting more attention in the community!

Keti

Re: SGACLs SGT CTS What order are the rules processed and are they stateful/stateless

gtuthill — Fri, 14 Oct 2016 20:24:59 GMT

Many thanks for your response to my question, very much appreciated..