By default in Cisco SD-WAN, each VPN0’s transport interface on every vEdge router has an implicit access list applied. Each implicit ACL allows or denies a specific type of network traffic referred to as a service. Only three services are permitted by default - DHCP, DNS, and ICMP. All other services are denied. We can enable additional services using the allowed-service command under the transport interface’s tunnel configuration, as shown in the output below:
vEdge-1(config-tunnel-interface)# allow-service ? Possible completions: all Allow all traffic. bgp Allow/deny BGP dhcp Allow/deny DHCP dns Allow/deny DNS https Allow/deny HTTPS icmp Allow/deny ICMP netconf Allow/deny NETCONF ntp Allow/deny NTP ospf Allow/deny OSPF sshd Allow/deny SSH stun Allow/deny STUN
Why are implicit ACLs important?
The implicit access control lists that are applied on all transport interfaces by default are an essential part of Cisco SD-WAN's control-plane security portfolio. WAN edge routers have protection against DDoS attacks out of the box using a combination of control-plane policing and implicit ACL on the underlay, as shown in figure 1 below.
What are Implicit ACLs?
Each transport interface of a vEdge router has an implicit access list applied by default. Some network engineers who have just started with Cisco SD-WAN tend to assume that every interface in VPN 0 is a transport one. However, a transport interface is a tunnel endpoint and has a local TLOC configuration - color and encapsulation. We can see in the output below that there are four interfaces in VPN 0, but only two of them are transport ones:
vEdge-1# show interface | t IF IF IF AF ADMIN OPER TRACKER VPN INTERFACE TYPE IP ADDRESS STATUS STATUS STATUS PORT TYPE ----------------------------------------------------------------------------- 0 ge0/0 ipv4 18.104.22.168/24 Up Up NA transport 0 ge0/1 ipv4 10.10.0.1/24 Up Up NA transport 0 ge0/6 ipv4 10.0.0.12/24 Up Up NA service 0 system ipv4 22.214.171.124/32 Up Up NA loopback
Another essential point to emphasize is that an implicit access list on a transport interface only affects the traffic that comes in VPN 0 from the underlay network and is destined to the transport interface’s IP address. We see this illustrated in figure 2 below.
The implicit ACL does not match the traffic that traverses the overlay tunnels established to this transport interface.
Allowing SSH to a vEdge router from the underlay
In this lab example, we will enable SSH access to WAN edge routers 1 and 4 from the underlay network. To achieve this objective, we will allow the ssh service in the implicit access lists applied to the transport interfaces marked with the MPLS color on vEdge 1 and 4.
Full Content Access is for Registered Users Only (it's FREE)...
- Learn any CCNA, DevNet or Network Automation topic with animated explanation.
- We focus on simplicity. Networking tutorials and examples written in simple, understandable language for beginners.