Configure implicit ACL on loopback interfaces using CLI commands

Updated: April 24, 2026

Want to summarize with AI?

Provides instructions for configuring implicit ACLs on loopback interfaces, guiding users through the necessary steps and considerations for securing network devices.

You can configure implicit ACL on loopback interfaces using a feature template or using a CLI Add-on template in Cisco SD-WAN Manager.

To configure implicit ACL on loopback interfaces using a feature template, see Configure VPN Ethernet Interface.

For information on using the CLI Add-On template, see Create a CLI Add-On Feature Template.

Procedure

	1.	Configure a loopback interface that emulates an interface that is always up. Example: `Device(config)# sdwan Device(config)# interface Loopback100` Use the interface name format loopback string , where string can be any alphanumeric value and may include underscores (_) and hyphens (–). The total interface name, including loopback , can be up to 16 characters long. Because of the flexibility of interface naming in the CLI, interfaces such as lo0 and loopback0 are parsed as different strings and are not interchangeable. For the CLI to recognize an interface as a loopback interface, its name must begin with the full string loopback .
	2.	Configure an interface as a secure transport connection. Example: `Device(config)# tunnel-interface`
	3.	Permit or deny a service. To permit all the services, use the allow-service all command. To permit a specific service, use the allow-service service name command. To deny a service, use the no allow-service service name command. Example: `Device(config)# no allow-service bgp Device(config)# allow-service dhcp` Starting from Cisco IOS XE Catalyst SD-WAN Release 17.16.1a, configuring the allow-service all command on Cisco SD-WAN Controller is only applicable for the following services bgp, dhcp, dns, https, icmp, netconf, ntp, ospf, sshd, and stun.
	4.	Enable implicit ACL protection on a physical interface for incoming VPN 0 traffic. Example: `Device(config)# implicit-acl-on-bind-intf` Use this command to enable implicit ACL protection on a physical interface in cases where a physical interface is not configured with a TLOC and bound to the loopback TLOC interface.

The following example shows implicit ACL configured on a loopback interface.


sdwan interface Loopback100
  tunnel-interface
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
   allow-service https
  exit

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Configure implicit ACL on loopback interfaces using CLI commands

Procedure

Example:

Example:

Example:

Example: