Specifications
8-2
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule
Overview
Cisco NAC Appliance offers three types of traffic policies:
IP-based policies—IP-based policies are fine-grained and flexible and can stop traffic in any number of
ways. IP-based policies are intended for any role and allow you to specify IP protocol numbers as well
as source and destination port numbers. For example, you can create an IP-based policy to pass through
IPSec traffic to a particular host while denying all other traffic.
Host-based policies—Host-based policies are less flexible than IP-based policies, but have the
advantage of allowing traffic policies to be specified by host name or domain name when a host has
multiple or dynamic IP addresses. Host-based policies are intended to facilitate traffic policy
configuration primarily for Agent Temporary and Quarantine roles and should be used for cases where
the IP address for a host is continuously changing or if a host name can resolve to multiple IPs.
Layer 2 Ethernet traffic policies—To support data transfer or similar operations originating at the
Layer 2 level, Cisco NAC Appliance Layer 2 Ethernet traffic control policies enable you to allow or deny
Layer 2 Ethernet traffic through the CAS based on the type of traffic. Network Frames except for IP,
ARP, and RARP frames constitute standard Layer 2 traffic.
Note Layer 2 Ethernet traffic control only applies to Clean Access Servers operating in Virtual Gateway mode.
Traffic control policies are directional. IP-based and Layer 2 Ethernet traffic policies can allow or block
traffic moving from the untrusted (managed) to the trusted network, or from the trusted to the untrusted
network. Host-based policies allow traffic from the untrusted network to the specified host and trusted
DNS server specified.
By default, when you create a new user role:
• All traffic from the untrusted network to the trusted network is blocked.
• All traffic from the trusted network to the untrusted network is allowed.
You must create policies to allow traffic as appropriate for the role. Alternatively, you can configure
traffic control policies to block traffic to a particular machine or limit users to particular activities, such
as email use or web browsing. Examples of traffic policies are:
deny access to the computer at 191.111.11.1, or
allow www communication from computers on subnet 191.111.5/24
Traffic Policy Priority
Finally, the order of the traffic policy in the policy list affects how traffic is filtered. The first policy at
the top of the list has the highest priority. The following examples illustrate how priorities work for
Untrusted->Trusted traffic control policies.
Example 1:
1. Deny Telnet
2. Allow All
Result: Only Telnet traffic is blocked and all other traffic is permitted.
Example 2 (priorities reversed):
1. Allow All
2. Deny Telnet
Result: All traffic is allowed, and the second policy blocking Telnet traffic is ignored.