The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
For network scenarios that require a secure connection between a network device running the SD-AVC agent, and the SD-AVC Network Service, you can optionally encrypt the SD-AVC communication between agent and Network Service using IPsec tunnels, and control device access using access control lists (ACL), as described in the sections that follow.
The SD-AVC Network Service runs as a virtual service on a Cisco device serving as a host platform. The host platform requires connectivity with the service through a virtual interface called VirtualPortGroup. The virtual service communicates with the host over this virtual interface, using SSH on TCP port 22.
The SD-AVC network service operates as a virtualized component on a host device. To secure the connection between the host device and the SD-AVC network service, use the following:
interface VirtualPortGroup31
ip unnumbered GigabitEthernet1
ip access-group sd-avc-acl in
ip access-list extended acl-name
permit tcp host SD-AVC-virtual-service-IP host host-router-IP eq 22
permit tcp host host-router-IP eq 22 SD-AVC-virtual-service-IP
Example using ACL:
interface VirtualPortGroup31 ip unnumbered GigabitEthernet1 ip access-group sd-avc-acl in ip access-list extended sd-avc-acl !! Configure SSH connection between the sd-avc-network-service to the hosted router permit tcp host 10.56.196.232 host 10.56.196.231 eq 22 permit tcp host 10.56.196.231 eq 22 host 10.56.196.231
Network devices operating with SD-AVC communicate with a central SD-AVC Network Service. Ensure that ports, firewall policy, and so on, are configured to enable communication between the SD-AVC agents and SD-AVC Network Service(s) (see Configuring Connectivity).
On the device hosting the SD-AVC Network Service, configure the UDP and TCP access control lists, as follows.
Note | When using ACLs, only configured addresses will have access to the device hosting the SD-AVC Network Service. |
UDP
The following syntax is presented for reference. For complete information about configuring ACL, see the documentation for your platform.
permit udp [ host source-agent-ip | source-agent-network source-wildcard ] host sd-avc-network-service-ip eq 50000
Example: Configuring port 50000 for UDP traffic for a range of devices (10.56.0.0 to 255).
permit udp 10.56.0.0 0.0.255.255 host 10.56.196.232 eq 50000 permit udp host 10.56.196.232 eq 50000 10.56.0.0 0.0.255.255
TCP
The following syntax is presented for reference. For complete information about configuring ACL, see the documentation for your platform.
permit tcp [ host source-agent-ip | source-agent-network source-wildcard ] host sd-avc-network-service-ip [eq port | range port-range-start port-range-end]
Example: Configuring required ports (20, 21, 50000-60000) for TCP traffic for a range of devices (10.56.0.0 to 255).
permit tcp 10.56.0.0 0.0.255.255 host 10.56.196.232 eq 20 permit tcp host 10.56.196.232 eq 20 10.56.0.0 0.0.255.255 permit tcp 10.56.0.0 0.0.255.255 host 10.56.196.232 eq 21 permit tcp host 10.56.196.232 eq 21 10.56.0.0 0.0.255.255 permit tcp 10.56.0.0 0.0.255.255 host 10.56.196.232 range 50000 60000 permit tcp host 10.56.196.232 range 50000 60000 10.56.0.0 0.0.255.255
For network scenarios that require an encrypted connection between a network device running the SD-AVC agent, and the SD-AVC Network Service, set up IPsec tunnels to handle this communication.
For information about configuring Cisco IOS IPsec VPN connections, see Cisco IOS IPsec.
Access to the SD-AVC Dashboard requires access to the device hosting the SD-AVC Network Service, and involves TCP traffic through port 8443. Ensure that network policty (firewall, ACL, and so on) permits this connectivity for devices requiring access to the SD-AVC Dashboard.
On the device hosting the SD-AVC Network Service, configure the access control list as follows, to enable specific devices to connect to the SD-AVC Dashboard.
The following syntax is presented for reference. For complete information about configuring ACL, see the documentation for your platform.
ip access-list extended sd-avc-acl
permit tcp any host sd-avc-network-service-ip eq 8443
permit tcp host source-agent-ip eq 8443 any
Example: Configure PC access to SD-AVC Dashboard.
ip access-list extended sd-avc-acl permit tcp any host 10.56.196.232 eq 8443 permit tcp host 10.56.196.232 eq 8443 any
The following example configures connectivity for a newly installed SD-AVC Network Service, hosted on a platform with the address 10.56.196.232, and a range of devices in the network that are operating with SD-AVC.
Because the SD-AVC Network Service is newly installed, the first section of the example configures connectivity between the host and the SD-AVC virtual service.
Platform hosting the SD-AVC virtual service: 10.56.196.232
Network devices operating with SD-AVC, connecting to the SD-AVC Network Service: Address range 10.56.0.0 0.0.255.255
In this example, any PC may be used to connect to the SD-AVC Dashboard.
!! Enables extended ACL ip access-list extended sd-avc-acl !! Configure SSH connection between the sd-avc-network-service to the hosted router permit tcp host 10.56.196.232 host 10.56.196.231 eq 22 permit tcp host 10.56.196.231 eq 22 host 10.56.196.231 !! Configure access to the SD-AVC Dashboard permit tcp any host 10.56.196.232 eq 8443 permit tcp host 10.56.196.232 eq 8443 any !! Configure access between SD-AVC Network Service and Agents - UDP permit udp 10.56.0.0 0.0.255.255 host 10.56.196.232 eq 50000 permit udp host 10.56.196.232 eq 50000 10.56.0.0 0.0.255.255 !! Configure access between SD-AVC Network Service and Agents - TCP permit tcp 10.56.0.0 0.0.255.255 host 10.56.196.232 eq 20 permit tcp host 10.56.196.232 eq 20 10.56.0.0 0.0.255.255 permit tcp 10.56.0.0 0.0.255.255 host 10.56.196.232 eq 21 permit tcp host 10.56.196.232 eq 21 10.56.0.0 0.0.255.255 permit tcp 10.56.0.0 0.0.255.255 host 10.56.196.232 range 50000 60000 permit tcp host 10.56.196.232 range 50000 60000 10.56.0.0 0.0.255.255 !! Configure connectivity between host and SD-AVC Network Service (virtual service) interface VirtualPortGroup31 ip access-group sd-avc-acl in