Cisco SD-WAN 025 - Service VPN1 Standard and Extended ACL via ACL Policy and Templates

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going everybody in this video we're going to continue the acl variation of the setup and look at the configuration to deploying acls through the concept of localized policies and applying those to templates because unlike the v edges where you go on the cli you actually have to go through and push the localized policy down just like we did with vh2 for the btp policy you know it's got to get applied and then pushed and then you can manipulate it now since we're going to be doing this for vmanage we're going to be taking a look at affecting traffic on the same interface in two different directions so we have traffic that is going away from the v edge so coming i'm sorry coming from the the router to the vh and the traffic we have going to the router so just to make this easier to follow what i will be doing basically in a nutshell is i'll be creating a acl that calls the local loopback of each site right here i'll be calling that local loopback and i will be denying it from having internet access so basically if you're sourcing any traffic off of 13 13 13 13 or 15 15 15 15 you will not be able to get to the interface to the internet and i'm going to apply that inbound okay any other traffic will be permitted out of the gate and will be good to go now i'm also going to create an outbound acl on that same interface which is gig 0 two on both devices and it's going to say that if you're going to ios 13 loopback put in here loopback zero you're not going to be able to reach it via telnet the same thing for router for vh4 for router 15. we're going to say if you're trying to reach ios 15 via the loopback zero you're not going to be able to reach it via telnet and actually let me back that up just a little bit we won't actually be able to do it based off the loopback what we will do is if you're trying to reach ios 13 via telnet net you won't be able to same thing down here if you're trying to reach router 15 via telnet we're going to apply this in the outbound direction and go from there so with that being said let's go ahead and set this up now one thing i do want to mention before we do this is i have tested this out in the past and in order for this to work in both the inbound and the outbound direction what we need to do is create both access lists and call them from the same policy that we're going to push down to the v edge so once you've created a policy and now this might be updated in newer versions of code so i'm dealing with 18.4 i will take a look at some of the the release notes and for whatever version i upgrade to because we will be doing an upgrade at some point in the future but for right now the only way that it's able to get pushed on 18-4 is if you go through and you combine multiple access lists to the same single policy and then push that policy from v manage down to the v edges once we do that then we'll be in really good shape and then we can go to the individual interfaces of the template specifically and then we can push the acl name to the interface so the way the flow logic is going to work is that on the vmanage we're going to create the the list to match on the traffic so we're going to create lists to match on the loopback addresses of the devices and then we're going to call those specific acls or those specific addresses from an acl for each individual device one for router 13 one for router 15. we're going to push those specific acls down to the v edges and we're going to apply that stuff inbound so as traffic comes from either router 13 or router 15 inbound to the b edges traffic will get blocked if it's being sourced from either one of their loopbacks that's one one specific uh configuration that we have to do in order to block telnet outbound from any other devices to the routers what we're going to have to go through and do is create another axis list and what we'll do is we'll match on just telnet as it is and not necessarily a source or destination we could be more specific but we're going to keep it pretty generic where we're going to just match on tcp port 23 for telnet and we're going to once that access is also created then we're going to call the acls that are going to block the traffic from the loopback addresses of the individual devices inbound and we're also going to call the acl that's going to block telnet in outbound towards the routers and when we do that one acl the acl that matches on the loopback addresses is going to be matched inbound so traffic coming from the router to the edge will be blocked if it's being sourced from the loopbacks if we're sending traffic from another location to one of the one of the routers that's hit behind vh3 or four that traffic will get blocked specifically if it's telnet and we're going to set that in the outbound direction from the v edge out to the router and that's going to be basically what we are going to accomplish in this video so let's go ahead and dive into it i have to set this up from scratch and i'm going to go ahead and get this knocked out real quick let me go ahead and move this over here just a little bit so we can see bs 3 and 4. so i'm going to first come in here and go to policies and i'm going to click on localize policy okay so right now i don't have anything created i'm going to go ahead and create a policy and the first thing i have to do is call a data prefix so as you can see i have a couple data prefixes let me go ahead and just delete one of these so you guys can see how this gets created i'm going to click on ok and that policy is getting called from an already existing acl so let me go to let's let me back up once let me click on cancel we go to custom options and then access lists okay so the acls are already here like i said i did test this out beforehand i'm going to go ahead and i'm actually going to delete these acls just so that they're no longer here we're going to create these again so so you guys can see what they look like go ahead delete that as well click on ok then go back to the lists and on data prefix i'm going to go ahead and delete this guy right here so router 15 so now he's gone so if you've already got something you've matched on and then you need another one well that's actually really easy just click on new data prefix the name of it's going to be ios underscore or ios 15 underscore loopback then come in here and do the ip address you're wanting to match on so 15 15 15 32 click on add and then we're going to go to localize policy i'm going to go ahead and add a policy and we can see that in the data prefix that these are created so i'm going to go ahead and click on next and then the next option here we have is going to be for qos we're not there yet we'll take a look at that in a future video the next one we're going to so we're going to click next because we don't want to create an access or a qos policy we are going to create a few access lists so we're going to create an access control list policy i'm going to add one here the name of this guy and they have to be individual acls you can't create one acl and call logic multiple times you could probably i have not tested it out this way because it doesn't make sense to do it this way so if you want to feel free and try that out and create in multiple sequence numbers and go that route be my guest so what i'm going to do is call this ios 13 underscore loopback and i'm going to copy and paste that in there i'm going to create a new sequence or and then sequence rule and the um the match portion i'm going to say the source i'm sorry the destination data prefix or i'm sorry the source destination prefix because this is going to be traffic that's coming being received inbound i'm going to call ios 13 loopback and then on the actions i'm going to set it to drop but i'm also going to add a counter and call this ios 13 counter something simple like that click on save acl all right i always made this mistake let me scoot this up just a little bit higher minimize this a little bit and bring this down just a touch just so it's right there click on save match and continue and then save acl policy i'm going to go ahead and create another one so add another ipv4 acl policy this one here is going to be ios 15 loopback copy and paste that in and then create a sequence number or add acl sequence then sequence rule i'm going to say source data prefix i'm going to choose ios 15 loopback i'm going to set the action to be drop and the counter to be ios 15 underscore counter okay so i actually have to go back and edit the other acl real quick but what i have to do is just um save this one here but i have to go underneath the default action and change the default action to be a permit so or accept and save match and continue because if i don't do that i'm going to be dropping all the traffic right so if i don't i've got a specific entry in there that says block traffic coming from this specific ip address if i don't change the default action to be accept it's going to be allowing it's going to be dropping everything so i'm going to save acl policy i'm going to come back over here to this guy and edit then click on default action and then a little pencil and then change that to be accept save matching continue and boom save acl policy okay i'm going to create one more this one's going to take a little bit longer to build i'm going to come in here and just type in block underscore telnet let's just say block underscore telnet copy and paste that in and then add acl sequence add a sequence rule now i'm not going to match on a ip address or subnet i'm going to basically just say i don't really care where the traffic is coming from or going to i just want to block telnet so it's more of a it isn't as it's specificity here or which one's more specific versus less specific it's this is more of an extended acl so we're focusing on the protocol and the port versus just the subnet that a standard acl is going to match on so this will be your extended acl variation so i'm going to say the protocol here in this case here tcp is protocol 6 and the destination port is going to be 23 okay it's going to be set to action and set to drop and i'm also going to set up a counter to be telnet counter save match and actions and then underneath default action change that to be accept and save matching content and actions click save acl policy so now i have block i have the ios 13s loopback ios 15 is loopback and then block telnet i'm going to click on next i'm going to bypass the route policy but i am going to create an acl policy so i'm going to call this the single site acl policy and copy and paste that there and then i can click on preview and this is what it's going to look like down here i have my lists that call the loopback addresses of ios 13 and 15. those particular data prefixes are being called and then they're dropping the traffic if they're if a source ip address matches those ips and then the default action is allow anything else same thing here i have another access list called block telnet where in sequence one we're matching on protocol six with the destination port of port 23 and we're going to drop that and we're going to say i want you to count anytime there's a drop but in the default action we're going to go ahead and allow it i'm going to click save policy and now that policy has been created now i need to go to the next step and i need to actually go to the template the device template specifically and i need to push this policy down to bh 3 and 4. let's go ahead and do that real quick so come over here to templates on device template we're going to choose single device template and say edit underneath here we're going to click on additional templates and then from policy we're going to call the single site acl policy and then we're going to click on update we don't actually have to do a whole lot right now because we're not trying to affect individual operations at the v edge level we're just trying to get the policy there because if we were to pull up the edge three or four for example and let's log in real quick and do a show run policy i had no policies created right so nothing's there i'm going to come over here and click on next and then configure devices i'm going to push the config down because we already looked at the config preview so we know what's going to get pushed and i'm going to pause the video all right the config was pushed so we're going to hit the up arrow and now we can see that the the policy was pushed okay but just to keep you guys just keep everything in mind nothing's been applied yet we've literally just taken the logic from vmanage and pushed it down to the v edges that's all we've done so far so now we need to go and actually enforce it so we're going to go to back to the templates underneath the feature template and then i'm going to select the individual templates themselves so we're going to go grab vpn one for the gigabit interface which should be this guy right here let's scoot this out just a little bit more and we have vpn one interface g02 which is what we want we're going to come over here click on edit and i'm going to come underneath here acl and qos so what other things i'm going to go do is i'm actually going to have this guy sitting right here and i'm going to scoot this guy up so i have all the acl names literally right there in front of me so all i have to do is click back and forth because if you don't have them readily available because there's no way for you to look them up right you can't there's no drop down box unfortunately hopefully that's that's an update in in a and a release down the road but right now it's not there so from here i'm going to click on global and turn it on and the acl is going to be device specific so i'm going to do that now i could for the ingress acl because we have two different acls i'm going to say device specific because i don't need to apply both ios 13 and ios 15 to the same device right so i'm going to say device specific on this one but for the egress acl i'm going to go to global click on on and then i'm going to choose the actual acl which is right here which is going to be block telnet i'm going to paste that right there it's going to be global because this is going to affect both devices i'm going to go ahead and click on update and then that's going to cause me to go to update the actual oh i grabbed the wrong haha i just noticed that i grabbed the wrong the edge so let me go back to templates real quick and the feature template so that's my fault i was not paying attention to what template i was grabbing um we need to go into single site for gig zero slash two let me scoot this out just a little bit so we can see it all right see that's what ended up happening it jumped on me so single site this guy right here go all the way across make sure it's the same one and then edit and then again acl qos come down here to ingress acl global turn it on and then for the actual acls can be device specific but for the egress acl i'm going to turn it global to turn it on and i'm just going to go ahead and plug in the block telnet acl i'm going to go ahead and click on update now that what will end up happening is i'll have to go in and specify which specific ac i want to match on i'm going to come down here and then the acl name is going to be right here so for vh3 this is going to be ios 13 click on update and then for this guy over here let's screw it all the way to the right for the access list should be the very bottom not quite uh where is it let me just click on here make it easier on myself come down to the bottom for access list and then grab ios 15 loopback plug that in there and click on update now what's going to happen is i'm going to click on next and it's going to go ahead and push that config i'm going to go ahead and say configure devices click on ok and then i will pause the video and wait for that to actually take effect all right so the apply was successful so let's go ahead and actually take a look at this from the command line we're going to look at say router 13 or bh3 first so i'm going to come in here and do a show run um vpn 1 interface ge 0 2 and we should see two acls applied we should see ios 13 inbound and we should see the access list of block telnet outbound okay so now let's go over to router 13 and do a little bit of testing here so what i'm going to do is a i'm going to ping in this case here um show iprout i don't believe i have a default at the moment and i don't so what i need to go do real quick is on vh1 let me do a i turned off the advertisement of ospf so let me type in let me do that real quick just so we have a default route because i do not have nat operational yet so vpn 1 omp advertise ospf external commit that and then go back over here to the edge uh go back over here to the router hit the up arrow and now we have a default route so now i'm going to ping 1.2.3.4 and i should be able to reach the loopback address of the internet which i can now if i hit the up arrow and go source loopback zero that is denied okay which is what we want to see and from router 15 same thing here i'm going to go ahead and i'm going to ping 1.2.3.4 that should be allowed no problem but if i source that from loopback 0 show ip interface brief so config t interface loopback 0 ip address of 15.15.15.15 32 and there so it's not available exactly what i'm looking for now if i go back to vh3 and i do a show policy access list counters we should see that that is taking effect which it is right we block traffic from ios 13 coming inbound if i go to b edge 4 let me log into him real quick and we're going to do a show policy access list counters same thing there we're matching on router 15 coming inbound so it's working the way we wanted to now here is the the trigger we're going to go over to frotter 5 and i'm going to go ahead and i'm going to telnet to 10.3.13.3 and i'm trying to tell to tell that to that if i look at vh3 and hit the up arrow now we're getting matches on this access list it's trying to connect me to telnet but it's not able to now if i was to disable that obviously those acls and you can disable them on a per directionality basis so you can turn the one off for out for ingress or turn one off for egress whatever the case might be but as you can see it is not working which is what the desired result is but if i went to ios 5 and i did a telnet to let me make sure the 13's actually got the web connection up and running so ip http server iphttp authentication is local do show run type include username just make sure that's there before i try to do it and it fails give that a second to okay it's there so now i'm going to go back to router 5 i'm going to telnet to 10.3.13.13 but via port 80. and that opens up all day long if i go over to router 13 and i do a show iphttp server connections blamo i have an active connection from 10.56181 right there so we know we have an active inbound connection so that just goes to show you that we do have the configuration up and running correctly via the acls so as you can see if you wanted to go in more detail you could when we get to the qos portion and we start diving into that we'll be a little bit more specific in our act on what we're doing instead of blocking traffic we'll say match on say dsep or set this particular q value or something along those lines so but for right now that's basically how you would do that until next time guys thank you so much for stopping by and hanging out with me i'll catch all of you in the next video

Info

Channel: Rob Riker's Tech Channel

Views: 1,477

Rating: undefined out of 5

Keywords: cisco, sd-wan, sd, wan, acls, access-list, extended, standard, filtering, filter, control

Id: In3Xr2TBF5k

Channel Id: undefined

Length: 22min 37sec (1357 seconds)

Published: Mon Oct 12 2020