Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
1
Helpful
1
Replies

How to add an ACL to an Interface

HernanSeijas4479
Level 1
Level 1

‎12-16-2023 01:10 PM

Hi, 

I need to add an ACL to an interface to only one router in my sdwan network.

It is connected to an Internet connection and I want to permit only to establish the tunnel.

Where can I create it? add it in a template?

I want to configure something like this:

ip access-list extended SITE-A-INTERNET-IN

  permit esp  x.x.x.x  host x.x.x.x

  permit udp  x.x.x.x host x.x.x.x eq isakmp non500-isakmp

  permit icmp x.x.x.x  host x.x.x.x echo

 

 

0 Helpful
1 Reply 1

Kanan Huseynli
VIP
VIP

‎12-17-2023 01:04 AM

Hi,

first of all you need to allow control traffic as well (router to controllers), secondly you don't need isakmp (udp500 or udp4500) - SD-WAN architecture is IKE-less.

You need one explicit access-list line to match and allow ping from respective device(s). Other traffic will be handled by implicit access-list which you see normally under tunnel-interface with "allow-service ..." command.

To create explicit ACL and attach to the device:

1) Go to vManage > Configuration > Policies > Localized Policy > Custom Options [ Access Control Lists ] > Add IPv4 ACL:

Leave default action as drop.

Add sequence: match with source/destination data prefix and select action "accept"

2) Go to back "Localized policy" section:

Create new device or template specific policy by clicking "Add policy". Do next two times, then in the Access List section click "Add Access Control List Policy" and import previously created ACL. Click next-next and give name/description to this new localized policy.

KananHuseynli_0-1702795367991.png

3) Go to device template section and under Additional Template section add Policy:

KananHuseynli_1-1702795433940.png

Push new config and wait.

4) And finally, you need to use this access-list from attached localized policy in the interface. For this, go to respective interface feature template and use access-list:

KananHuseynli_2-1702795506047.png

Plus, ensure that, none of protocol is allowed with allow-service command under this tunnel interface (explicitly select OFF, even if you have allow-service all <> OFF)

KananHuseynli_3-1702803828236.png

 

Push config and wait

Note: you don't need explicitly allow tunnel overlay traffic even if you have default action drop in explicit ACL.

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card