DACL vs SGACL ACL capabilities

Wes Schochet · ‎01-30-2020

Hi All-

We are looking at various methods of network segmentation. We initially implemented DACLs. My security guy is somewhat suspect of this as the DACL seems to only allow limits on traffic leaving the interface, not on traffic entering the interface. So now we are looking into SGTs and SGACLs as a remedy for this situation. The long term goal here is SDA, but we have some work to do before we are ready for that. We are working on TrustSec / SGTs as an intermediate step. My question is this, using TrustSec (and SDA for that matter) do I still only have limits on traffic leaving the interface?

balaji.bandi · ‎01-30-2020

Not sure I understand correctly?

Traffic Leaving the interface vs traffic entering the interface (is this a server? or end devices like desktop or PC)

again depends on the requirement and use case. ( so add a bit more information will be much useful)

there is a good explanation in this thread for help :

https://community.cisco.com/t5/other-security-subjects/dacl-vs-sgacl/m-p/2747660

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Wes Schochet · ‎01-31-2020

These are client devices, in our case medical devices. We want to control traffic going to and from them. In the DACL model, the device is always assumed to be the source correct? So do we have any control over traffic coming to the device in any of these segmentation models? Is control of incoming traffic to the device important? This is like ioT - we don’t want these devices to get infected or infect each other.

balaji.bandi · ‎02-01-2020

good white paper for medical device

https://www.cisco.com/c/dam/en/us/products/collateral/security/medical-nac-white-paper.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help