BMS Downloadable ACLs

DACL Strategy

  • Deny by default

  • Permit only required protocols

  • Restrict to BMS VLAN

  • Allow management access from supervisors

Sample DACLs

BMS-HVAC-DACL

! Allow BACnet
permit udp any any eq 47808
permit udp any eq 47808 any

! Allow HTTPS to BMS management server
permit tcp any host 10.100.1.10 eq 443

! Allow DNS
permit udp any host 10.50.1.50 eq 53

! Allow NTP
permit udp any host 10.50.1.1 eq 123

! Deny everything else
deny ip any any log

BMS-Supervisor-DACL

! Allow SSH/HTTPS to BMS devices
permit tcp any 10.100.0.0 0.0.255.255 eq 22
permit tcp any 10.100.0.0 0.0.255.255 eq 443

! Allow BACnet management
permit udp any 10.100.0.0 0.0.255.255 eq 47808

! Allow IT network access
permit ip any 10.50.0.0 0.0.255.255

! Allow internet (via proxy)
permit tcp any host 10.50.1.5 eq 3128

! Deny direct internet
deny ip any any log

Deploying DACLs

  1. Navigate to Policy > Policy Elements > Results > Authorization > Downloadable ACLs

  2. Click Add

  3. Enter name and ACL content

  4. Reference in Authorization Profile

Verification

# Check applied DACL on switch
show authentication session interface Gi1/0/1 details

# Verify via ISE Live Sessions
# Work Centers > Network Access > Live Sessions

Related