3.10 Firewall Rules Summary¶
3.10.1 Perimeter Firewall Rules¶
| Rule # | Source | Destination | Port | Protocol | Action | Description |
|---|---|---|---|---|---|---|
| 1 | Any | DNAC Cluster VIP | 443 | TCP | Permit | DNAC GUI access |
| 2 | Any | ISE PSN | 443, 8443 | TCP | Permit | ISE portal access |
| 3 | DNAC | ISE | 9060, 443 | TCP | Permit | DNAC-ISE integration |
| 4 | ISE | AD Servers | 389, 636 | TCP | Permit | LDAP/LDAPS |
| 5 | Fabric Nodes | ISE PSN | 1812, 1813 | UDP | Permit | RADIUS |
| 6 | ISE | Fabric Nodes | Any | TCP/UDP | Permit | CoA, SXP |
| 7 | Employees | Internet | 443, 80 | TCP | Permit | Web access |
| 8 | Guests | Proxy | 8080 | TCP | Permit | Guest internet |
| 9 | Any | CDE VN | Any | Any | Deny | Block direct CDE access |
| 10 | Jump Server | CDE VN | 22, 3389 | TCP | Permit | Admin access only |
3.10.2 SD-WAN Transport Security Rules¶
Internet Transport Security (Direct Internet Access)
| Rule # | Source | Destination | Port | Protocol | Action | Description |
|---|---|---|---|---|---|---|
| 1 | SD-WAN Edge | vBond | 12346-12446 | UDP | Permit | DTLS control |
| 2 | SD-WAN Edge | vSmart | 12346-12446 | UDP | Permit | OMP control |
| 3 | SD-WAN Edge | vManage | 443, 8443 | TCP | Permit | Management |
| 4 | SD-WAN Edge | SD-WAN Edges | 12346-12446 | UDP | Permit | IPsec data |
| 5 | SD-WAN Edge | NTP Servers | 123 | UDP | Permit | Time sync |
| 6 | SD-WAN Edge | DNS Servers | 53 | UDP/TCP | Permit | Name resolution |
| 7 | Corp Users (DIA) | Internet | 443, 80 | TCP | Permit | Direct web (limited) |
| 8 | Guest Users | Internet | 443, 80 | TCP | Permit | Guest breakout |
| 9 | Any | SD-WAN Edge (WAN) | Any | Any | Deny | Block inbound |
5G/LTE Transport Security
| Rule # | Source | Destination | Port | Protocol | Action | Description |
|---|---|---|---|---|---|---|
| 1 | SD-WAN Edge | vBond | 12346-12446 | UDP | Permit | DTLS control |
| 2 | SD-WAN Edge | SD-WAN Edges | 12346-12446 | UDP | Permit | IPsec tunnels |
| 3 | Any | SD-WAN Edge (LTE) | Any | Any | Deny | Block all inbound |
SD-WAN Control Plane Security
| Component | Security Requirement | Implementation |
|---|---|---|
| vBond | Certificate authentication | PKI with enterprise CA |
| vSmart | OMP encryption | AES-256 |
| vManage | Admin authentication | RADIUS/TACACS+ to ISE |
| Data Plane | IPsec tunnels | AES-256-GCM, IKEv2 |
| Service VPN | VRF isolation | Per-VPN routing tables |
3.10.3 SD-WAN Edge Firewall Zones¶
┌─────────────────────────────────────────────────────────────────────────────┐
│ SD-WAN EDGE ZONE-BASED SECURITY │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ VPN 0 │ │ VPN 10 │ │
│ │ (Transport) │ │ (Corporate) │ │
│ │ ┌─────────┐ │ │ ┌─────────┐ │ │
│ │ │ MPLS │ │◄──── IPsec Tunnels ────────►│ │ Users │ │ │
│ │ │ Internet│ │ (Encrypted) │ │ Servers │ │ │
│ │ │ 5G/LTE │ │ │ │ │ │ │
│ │ └─────────┘ │ │ └─────────┘ │ │
│ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │
│ │ Zone-Based Firewall │ │
│ │ (Inter-VPN Filtering) │ │
│ │ │ │
│ ┌──────┴──────┐ ┌──────┴──────┐ │
│ │ VPN 40 │ │ VPN 50 │ │
│ │ (Guest) │ │ (IoT) │ │
│ │ │ │ │ │
│ │ DIA Allowed │ │ No DIA │ │
│ │ (Filtered) │ │ Cloud Only │ │
│ └─────────────┘ └─────────────┘ │
│ │
│ ZONE PAIR POLICIES: │
│ • VPN10 ↔ VPN10: Permit (same VPN) │
│ • VPN10 → VPN0: Permit (to WAN tunnels) │
│ • VPN40 → Internet: Permit with URL filtering │
│ • VPN50 → VPN0: Permit (cloud destinations only) │
│ • VPN40 → VPN10: Deny (guest isolation) │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
3.10.4 Branch Internet Breakout Security¶
For branches with Direct Internet Access (DIA):
| Security Control | Implementation | Location |
|---|---|---|
| URL Filtering | Cisco Umbrella | Cloud |
| DNS Security | Umbrella DNS | Cloud |
| Malware Protection | Umbrella SIG | Cloud |
| IPS | UTD on SD-WAN Edge | Edge |
| SSL Inspection | Umbrella SIG | Cloud |
| DLP | Microsoft Defender | Endpoint |
Umbrella Integration Configuration
# SD-WAN Edge Umbrella Integration (via vManage template)
Umbrella_Config:
Registration_Token: <umbrella_token>
Local_Domain_Bypass:
- corp.local
- internal.company.com
DNS_Redirect: Enabled
# Traffic Steering for DIA
DIA_Policy:
Match:
- Guest VPN (40)
- SaaS Applications (O365, Salesforce)
Action: Local Internet Exit
Security: Umbrella SIG