Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2082
Views
0
Helpful
2
Replies

Allow-service in vbond/vmanager

Go to solution
interfacedy
Spotlight
Spotlight

‎02-25-2023 08:38 AM

Hi Below is config for sdwan vbond or vmanager. There are a lot "allow-service" as we can see. I would like to know any allow-service has any significance if there is one "allow-service all" on the top? Thank you!

 

vpn 0
interface ge0/0
ip address 192.168.1.111/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
svemulap@cisco.com
Cisco Employee
Cisco Employee

‎02-25-2023 05:28 PM

Hi,

The allow-service option acts like an implicit-ACL and is to allow or disallow a type of service on the WAN Tunnel interface.
allow-service can be all or one of more of bgp, dhcp(v4/v6), https, icmp, netconf, ntp, ospf, sshd and stun.
By default: DHCP(v4/v6), DNS, HTTPS, and ICMP are enabled by default on vEdge Rtrs.

Configuring allow-service all overrides any commands that allow or disallow individual services.

When allow-service-all overrides the commands allowing or restricting individual services, the implicit ACLs created by the
configuration of the services are disabled. Disabling the implicit ACLs could open control-plane attacks.

Before you configure allow-service all, consider whether you should configure explicit ACLs or a ZBFW.

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
svemulap@cisco.com
Cisco Employee
Cisco Employee

‎02-25-2023 05:28 PM

Hi,

The allow-service option acts like an implicit-ACL and is to allow or disallow a type of service on the WAN Tunnel interface.
allow-service can be all or one of more of bgp, dhcp(v4/v6), https, icmp, netconf, ntp, ospf, sshd and stun.
By default: DHCP(v4/v6), DNS, HTTPS, and ICMP are enabled by default on vEdge Rtrs.

Configuring allow-service all overrides any commands that allow or disallow individual services.

When allow-service-all overrides the commands allowing or restricting individual services, the implicit ACLs created by the
configuration of the services are disabled. Disabling the implicit ACLs could open control-plane attacks.

Before you configure allow-service all, consider whether you should configure explicit ACLs or a ZBFW.

HTH

0 Helpful

Go to solution
interfacedy
Spotlight
Spotlight

‎02-26-2023 07:46 PM

Thanks!

0 Helpful
Customers Also Viewed These Support Documents