LAB 2 - Implicit Access Control List (ACL)

By default in Cisco SD-WAN, each VPN0’s transport interface on every vEdge router has an implicit access list applied. Each implicit ACL allows or denies a specific type of network traffic referred to as a service. Only three services are permitted by default - DHCP, DNS, and ICMP. All other services are denied. We can enable additional services using the allowed-service command under the transport interface’s tunnel configuration, as shown in the output below:

vEdge-1(config-tunnel-interface)# allow-service ?
Possible completions:
  all       Allow all traffic.
  bgp       Allow/deny BGP
  dhcp      Allow/deny DHCP
  dns       Allow/deny DNS
  https     Allow/deny HTTPS
  icmp      Allow/deny ICMP
  netconf   Allow/deny NETCONF
  ntp       Allow/deny NTP
  ospf      Allow/deny OSPF
  sshd      Allow/deny SSH
  stun      Allow/deny STUN

Why are implicit ACLs important?

The implicit access control lists that are applied on all transport interfaces by default are an essential part of Cisco SD-WAN's control-plane security portfolio. WAN edge routers have protection against DDoS attacks out of the box using a combination of control-plane policing and implicit ACL on the underlay, as shown in figure 1 below.

Figure 1. Cisco SD-WAN vEdge DDoS Protection

What are Implicit ACLs?

Each transport interface of a vEdge router has an implicit access list applied by default. Some network engineers who have just started with Cisco SD-WAN tend to assume that every interface in VPN 0 is a transport one. However, a transport interface is a tunnel endpoint and has a local TLOC configuration - color and encapsulation. We can see in the output below that there are four interfaces in VPN 0, but only two of them are transport ones:

vEdge-1# show interface | t
                                            IF      IF      IF               
                      AF                    ADMIN   OPER    TRACKER          
VPN    INTERFACE      TYPE  IP ADDRESS      STATUS  STATUS  STATUS  PORT TYPE
-----------------------------------------------------------------------------
0      ge0/0          ipv4  39.3.0.1/24     Up      Up      NA      transport
0      ge0/1          ipv4  10.10.0.1/24    Up      Up      NA      transport
0      ge0/6          ipv4  10.0.0.12/24    Up      Up      NA      service  
0      system         ipv4  1.1.1.1/32      Up      Up      NA      loopback

Another essential point to emphasize is that an implicit access list on a transport interface only affects the traffic that comes in VPN 0 from the underlay network and is destined to the transport interface’s IP address. We see this illustrated in figure 2 below.

The implicit ACL does not match the traffic that traverses the overlay tunnels established to this transport interface.

Allowing SSH to a vEdge router from the underlay

In this lab example, we will enable SSH access to WAN edge routers 1 and 4 from the underlay network. To achieve this objective, we will allow the ssh service in the implicit access lists applied to the transport interfaces marked with the MPLS color on vEdge 1 and 4.

Full Content Access is for Registered Users Only (it's FREE)...

Learn any CCNA, DevNet or Network Automation topic with animated explanation.
We focus on simplicity. Networking tutorials and examples written in simple, understandable language for beginners.

Comments

millsy2000

Mon, 01/23/2023 - 07:20

Hi Ivan,

Question regarding the implicit ACL's and IPsec. Does this include the known SD-WAN peer public IP addresses, i.e only IPsec sessions (UDP/123xx) from public IP's discovered via the vBond will be allowed?

TisTos123

Tue, 03/26/2024 - 11:40

Hi all, yes please, I have also the same question

lordvorta

Sat, 07/20/2024 - 04:35

Is there a way to view traffic or log traffic that would be dropped by the implicit ACL?

sharique24

Wed, 09/18/2024 - 05:05

On cEdge you can check with #show plat hard qfp active statis drop | i Imp
Check if SdwanImplicitAclDrop are increasing