cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
649
Views
0
Helpful
3
Replies
Highlighted
Beginner

DACL vs SGACL ACL capabilities

Hi All-

 

We are looking at various methods of network segmentation.  We initially implemented DACLs.  My security guy is somewhat suspect of this as the DACL seems to only allow limits on traffic leaving the interface, not on traffic entering the interface.  So now we are looking into SGTs and SGACLs as a remedy for this situation.  The long term goal here is SDA, but we have some work to do before we are ready for that.  We are working on TrustSec / SGTs as an intermediate step.  My question is this, using TrustSec (and SDA for that matter) do I still only have limits on traffic leaving the interface?

 

 

 

3 REPLIES 3
Highlighted
VIP Mentor

Not sure I understand correctly?

 

Traffic Leaving the interface vs traffic entering the interface (is this a server? or end devices like desktop or PC)

again depends on the requirement and use case. ( so add a bit more information will be much useful)

 

there is a good explanation in this thread for help :

 

https://community.cisco.com/t5/other-security-subjects/dacl-vs-sgacl/m-p/2747660

 

 

BB
*** Rate All Helpful Responses ***
Highlighted

These are client devices, in our case medical devices. We want to control traffic going to and from them. In the DACL model, the device is always assumed to be the source correct? So do we have any control over traffic coming to the device in any of these segmentation models? Is control of incoming traffic to the device important? This is like ioT - we don’t want these devices to get infected or infect each other.
Highlighted

good white paper for medical device 

 

https://www.cisco.com/c/dam/en/us/products/collateral/security/medical-nac-white-paper.pdf

BB
*** Rate All Helpful Responses ***