Cisco Catalyst SD-WAN Interfaces Configuration Guide, Releases 26.x and Later

PDF

Configure implicit ACL on loopback interfaces using CLI commands

Want to summarize with AI?

Log in

Provides instructions for configuring implicit ACLs on loopback interfaces, guiding users through the necessary steps and considerations for securing network devices.


You can configure implicit ACL on loopback interfaces using a feature template or using a CLI Add-on template in Cisco SD-WAN Manager.

To configure implicit ACL on loopback interfaces using a feature template, see Configure VPN Ethernet Interface.

For information on using the CLI Add-On template, see Create a CLI Add-On Feature Template.

Procedure

1.

Configure a loopback interface that emulates an interface that is always up.

Example:


Device(config)# sdwan 
Device(config)# interface Loopback100

Use the interface name format loopback string , where string can be any alphanumeric value and may include underscores (_) and hyphens (–). The total interface name, including loopback , can be up to 16 characters long. Because of the flexibility of interface naming in the CLI, interfaces such as lo0 and loopback0 are parsed as different strings and are not interchangeable. For the CLI to recognize an interface as a loopback interface, its name must begin with the full string loopback .

2.

Configure an interface as a secure transport connection.

Example:


Device(config)# tunnel-interface
3.

Permit or deny a service.

  • To permit all the services, use the allow-service all command.

  • To permit a specific service, use the allow-service service name command.

  • To deny a service, use the no allow-service service name command.

Example:


Device(config)# no allow-service bgp 
Device(config)# allow-service dhcp

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.16.1a, configuring the allow-service all command on Cisco SD-WAN Controller is only applicable for the following services bgp, dhcp, dns, https, icmp, netconf, ntp, ospf, sshd, and stun.

4.

Enable implicit ACL protection on a physical interface for incoming VPN 0 traffic.

Example:


Device(config)# implicit-acl-on-bind-intf

Use this command to enable implicit ACL protection on a physical interface in cases where a physical interface is not configured with a TLOC and bound to the loopback TLOC interface.

The following example shows implicit ACL configured on a loopback interface.


sdwan interface Loopback100
  tunnel-interface
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
   allow-service https
  exit