12-04-2010 01:39 AM - edited 02-21-2020 05:00 PM
Hi ,
Network setup is having 500+ branch offices & HO ( with ASR1004) routers connceted via MPLS L3 IP/VPN.
Configured GETVPN group & need to migrate production nodes slowly.
Initially in order to enable encryption for both directions, exception-acl ( deny statements) is written for 500+ branches.
HO router & one remote branch are configured for GETVPN group.
Issue:
When encryption policy is pushed from KS to GMs , traffic from HO to Non-GM branches are disturbed. It seems that exception-acl does not work or any other resource issue or control traffic block ???
All routing protocols & control traffic being allowed uncrypted by the KS group policy..
Any guess what could be going around here ???
regards,
Waruna
12-04-2010 05:38 AM
Hi Waruna,
The global policy on KS can only contain max 100 rules, that includes deny and permit. If the number of rules you need exceeds the limit, you might need to consider apply local policy on HO to not encrypt traffic to Non-GM branches.
Regards,
Lei Tian
12-05-2010 12:50 AM
Hi Lie,
Thanks for the feedback,
I was aware of this limitation in global policy by KS.
My KS policy don't have more than 30 entries.. But in my local HO exception acl, I have 500+ deny entries !!! ( Till I migrate each branch into GETVPN group ...)
Is there any limitation in exception local ACL ?
regards,
Waruna
12-05-2010 04:53 AM
Hi Waruna,
I am not aware of any limitation of local deny acls, but I found couple bugs related to complex acl in GET: CSCsu38169 and CSCsw85293.
If you are using fail-closed acl, you might also want to check the fail-closed acl has all the permits reflect the download and local denies.
Regards,
Lei Tian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide