https://community.cisco.com/t5/network-access-control/trustsec-sgacl/m-p/4615639#M574919 <P>Hi All,</P><P>&nbsp;</P><P>I am currently lab testing TrustSec and I have a question regarding the use and configuration of SGACLs.</P><P>&nbsp;</P><P>For basic testing I have an SGT named 'Monitoring_Servers' and an SGT named 'Clients'. I want to configured an SGACL and Policy to allow the Monitoring_Servers to access the Clients using TCP/SSH but deny all traffic from the Clients to the Monitoring_Servers.</P><P>&nbsp;</P><P>Based on my testing SGACLs seem to be stateless so I need two SGACLs and two policies to achieve the above</P><P>&nbsp;</P><P>SGACL: ACL_Monitoring_Servers_to_Clients</P><P>permit tcp dst eq 22 log<BR />deny ip log</P><P>&nbsp;</P><P>SGACL: ACL_Clients_to_Monitoring_Servers</P><P>permit tcp src eq 22 log<BR />deny ip log</P><P>&nbsp;</P><P>Policy</P><P>1 - Monitoring_Servers to Clients -&gt;&nbsp; ACL_Monitoring_Servers_to_Clients</P><P>2 - Clients to Monitoring_Servers -&gt;&nbsp;ACL_Clients_to_Monitoring_Servers</P><P>&nbsp;</P><P>Is this the correct approach to achieve what I need?</P> Mon, 23 May 2022 16:48:59 GMT dm2020 2022-05-23T16:48:59Z https://community.cisco.com/t5/network-access-control/trustsec-sgacl/m-p/4615639#M574919 <P>Hi All,</P><P>&nbsp;</P><P>I am currently lab testing TrustSec and I have a question regarding the use and configuration of SGACLs.</P><P>&nbsp;</P><P>For basic testing I have an SGT named 'Monitoring_Servers' and an SGT named 'Clients'. I want to configured an SGACL and Policy to allow the Monitoring_Servers to access the Clients using TCP/SSH but deny all traffic from the Clients to the Monitoring_Servers.</P><P>&nbsp;</P><P>Based on my testing SGACLs seem to be stateless so I need two SGACLs and two policies to achieve the above</P><P>&nbsp;</P><P>SGACL: ACL_Monitoring_Servers_to_Clients</P><P>permit tcp dst eq 22 log<BR />deny ip log</P><P>&nbsp;</P><P>SGACL: ACL_Clients_to_Monitoring_Servers</P><P>permit tcp src eq 22 log<BR />deny ip log</P><P>&nbsp;</P><P>Policy</P><P>1 - Monitoring_Servers to Clients -&gt;&nbsp; ACL_Monitoring_Servers_to_Clients</P><P>2 - Clients to Monitoring_Servers -&gt;&nbsp;ACL_Clients_to_Monitoring_Servers</P><P>&nbsp;</P><P>Is this the correct approach to achieve what I need?</P> Mon, 23 May 2022 16:48:59 GMT https://community.cisco.com/t5/network-access-control/trustsec-sgacl/m-p/4615639#M574919 dm2020 2022-05-23T16:48:59Z https://community.cisco.com/t5/network-access-control/trustsec-sgacl/m-p/4620618#M575079 <P>Yes, sounds correct.</P> <P>Also see <A href="https://cs.co/ise-resources#Segmentation" target="_blank">https://cs.co/ise-resources#Segmentation</A> &gt; <A href="https://community.cisco.com/t5/security-documents/group-based-policy-fundamentals/ta-p/3764433" target="_self">Group Based Policy Fundamentals</A> for background in TrustSec that should help.</P> Mon, 30 May 2022 14:56:41 GMT https://community.cisco.com/t5/network-access-control/trustsec-sgacl/m-p/4620618#M575079 thomas 2022-05-30T14:56:41Z