Recommended default ACLs for the Control Plane

A default ACL can be applied to the Control Plane to enable or disable certain protocols. The recommended default ACL for the Control Plane enables these common IP protocols by default:
  • ICMP and ICMPv6 (Internet Control Message Protocol)

  • IGMP (Internet Group Management Protocol)

  • OSPF (Open Shortest Path First)

  • PIM (Protocol-Independent Multicast)

  • VRRP (Virtual Router Redundancy Protocol)

It may be desirable to include well known TCP and UDP ports plus ephemeral ports as follows:
  • HTTP (HyperText Transfer Protocol): TCP port 80

  • HTTPS (Secure HyperText Transfer Protocol): TCP Port 443

  • SNMP (Simple Network Management Protocol): TCP and UDP port 161

  • BGP (Border Gateway Protocol): TCP port 179

  • SSH (Secure Shell): TCP port 22

  • DHCPS and DHCP (Dynamic Host Configuration Protocol): UDP port 67 and 68

  • NTP (Network Time Protocol): UDP port 123

Protocols such as TFTP and BGP also depend on TCP/UDP ports greater than 1023.

Port numbers can be bundled together as object groups. For example:
switch(config)# object-group port tcp_ports
switch(config-portgroup)# 10 eq 22
switch(config-portgroup)# 20 eq 80
switch(config-portgroup)# 30 eq 443
switch(config-portgroup)# 40 eq 161
switch(config-portgroup)# 50 eq 179
switch(config-portgroup)# 60 gt 1023
...
switch(config)# object-group port udp_ports
switch(config-portgroup)# 10 eq 67
switch(config-portgroup)# 20 eq 68
switch(config-portgroup)# 30 eq 123
switch(config-portgroup)# 40 eq 161
switch(config-portgroup)# 50 gt 1023
An IPv4 default ACL for the Control Plane named default_acl can be configured as follows (with IP protocol 112 used for VRRP):
switch(config)# access-list ip default_acl
switch(config-acl-ip)# 10 permit icmp any any
switch(config-acl-ip)# 20 permit igmp any any
switch(config-acl-ip)# 30 permit pim any any
switch(config-acl-ip)# 40 permit ospf any any
switch(config-acl-ip)# 50 permit tcp any any group tcp_ports
switch(config-acl-ip)# 60 permit udp any any group udp_ports
switch(config-acl-ip)# 70 permit 112 any any
The ACL can be applied to Control Plane traffic on a VRF named vrf-main as follows:
switch(config)# apply access-list ip default_acl control-plane vrf vrf-main

An IPv6 default ACL for the Control Plane named default_v6_acl can be configured as follows (with IP protocol 112 used for VRRP):

switch(config)# access-list ipv6 default_v6_acl
switch(config-acl-ip)# 10 permit icmpv6 any any
switch(config-acl-ip)# 20 permit pim any any
switch(config-acl-ip)# 30 permit ospf any any
switch(config-acl-ip)# 40 permit tcp any any group tcp_ports
switch(config-acl-ip)# 50 permit udp any any group udp_ports
switch(config-acl-ip)# 60 permit 112 any any
The IPv6 ACL can be applied on Control Plane traffic on a VRF named vrf-main as follows:
switch(config)# apply access-list ipv6 default_v6_acl control-plane vrf vrf-main