Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

281

282

283

284

285

286

287

288

289

290

8-6

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 8 User Management: Traffic Control, Bandwidth, Schedule

Add Global IP-Based Traffic Policies

8. Set the Category of the traffic as follows:

–

ALL TRAFFIC (default)—The policy applies to all protocols and to all trusted and untrusted

source and destination addresses.

–

IP—If selected, the Protocol field displays as described below.

–

IP FRAGMENT—By default, the Clean Access Manager blocks IP fragment packets, since

they can be used in denial-of-service (DoS) attacks. To permit fragmented packets, define a role

policy allowing them with this option.

9. The Protocol field appears if the IP Category is chosen, displaying the options listed below:

–

CUSTOM:—Select this option to specify a different protocol number than the protocols listed

in the Protocol dropdown menu.

–

TCP (6)—Select for Transmission Control Protocol. TCP applications include HTTP, HTTPS,

and Telnet.

–

UDP (17)—Select for User Datagram Protocol, generally used for broadcast messages.

–

ICMP (1)—Select for Internet Control Message Protocol. If selecting ICMP, also choose a

Type from the dropdown menu.

–

ESP (50)—Select for Encapsulated Security Payload, an IPsec subprotocol used to encrypt IP

packet data typically in order to create VPN tunnels.

–

AH (51)—Select for Authentication Header, an IPSec subprotocol used to compute a

cryptographic checksum to guarantee the authenticity of the IP header and packet.

10. In the Untrusted (IP/Mask:Port) field, specify the IP address and subnet mask of the untrusted

network to which the policy applies. An asterisk in the IP/Mask:Port fields means the policy applies

for any address/application.

If you chose TCP or UDP as the Protocol, also type the TCP/UDP port number for the application

in the Port text field.

Note You can specify individual ports, a port range, a combination of ports and port ranges, or

wildcards when configuring TCP/UDP ports. For example, you can specify port values such as:

“*” or “21, 1024-1100” or “1024-65535” to cover multiple ports in one policy. Refer to

http://www.iana.org/assignments/port-numbers for details on TCP/UDP port numbers.

11. In the Trusted (IP/Mask:Port) field, specify the IP address and subnet mask of the trusted network

to which the policy applies. An asterisk in the IP/Mask:Port fields means the policy applies for any

address/application. If you chose TCP or UDP as the Protocol, also type the TCP/UDP port number

for the application in the Port text field.

Note The traffic direction you select for viewing the list of policies (Untrusted -> Trusted or Trusted ->

Untrusted) sets the source and destination when you open the Add Policy form:

• The first IP/Mask/Port entry listed is the source.

• The second IP/Mask/Port entry listed is the destination.

12. Optionally, type a description of the policy in the Description field.

13. Click Add Policy when finished. If modifying a policy, click the Update Policy button.