Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2550
Views
5
Helpful
3
Replies

SGACLs SGT CTS What order are the rules processed and are they stateful/stateless

Go to solution
gtuthill
Level 1
Level 1

‎10-13-2016 02:22 AM - edited ‎03-11-2019 12:08 AM

Could any one please confirm my following assumptions about the processing of SGACLs.

a) SGACLs on a ASA firewall are stateful and processed as normal ACL's on a per interface basis ?

b) SGACLs on IOS are processed  after normal  Ingress ACL'a and before Egress ACL's and are stateless ?

Thanks in advance.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
mjessup
Cisco Employee
Cisco Employee

‎10-14-2016 11:33 AM

a) The ASA Firewall does not use SGACLs. The ASA can however make use of Security Groups and SGT in policies configured at the ASA. This is known as Security Group Firewall. SGACLs are role-based policies with further granularity provided by Access Control Entries within the SGACL. These are configured at ISE and distributed to switches today and other devices such as routers in the very near future. When a policy is created at the ASA (SGFW), they are stateful.

b) SGACLs in IOS are processed at egress. If a standard ACL and an SGACL are both present, the standard ACL is processed first and then the SGACL.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mjessup
Cisco Employee
Cisco Employee

‎10-14-2016 11:33 AM

a) The ASA Firewall does not use SGACLs. The ASA can however make use of Security Groups and SGT in policies configured at the ASA. This is known as Security Group Firewall. SGACLs are role-based policies with further granularity provided by Access Control Entries within the SGACL. These are configured at ISE and distributed to switches today and other devices such as routers in the very near future. When a policy is created at the ASA (SGFW), they are stateful.

b) SGACLs in IOS are processed at egress. If a standard ACL and an SGACL are both present, the standard ACL is processed first and then the SGACL.

0 Helpful

Go to solution
kilcreas
Cisco Employee
Cisco Employee
In response to mjessup

‎10-14-2016 12:53 PM

Yeah Mike! Thanks for responding to the community question. I was just talking with Kevin R after our team meeting about getting more attention in the community!

Keti

0 Helpful

Go to solution
gtuthill
Level 1
Level 1
In response to mjessup

‎10-14-2016 01:24 PM

Many thanks for your response to my question, very much appreciated..

0 Helpful
Customers Also Viewed These Support Documents