Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Mesh ACL's

We have a VPN mesh configured between sites where everything is routed through the main site.

Our ACL lists are getting massive and I'm curious if it would be possible to simplify them as such:

Current ACL:

ip access-list extended ENCRYPT-ACL
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 10.255.255.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.60.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.60.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.70.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.90.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.90.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.110.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.110.0 0.0.0.255 192.168.30.0 0.0.0.255

Could I simplify this by adding an ACL such as this:

permit ip 192.168.0.0 0.0.255.255 192.168.3.0 0.0.0.255

permit ip 192.168.0.0 0.0.255.255.192.168.30.0 0.0.0.255

Also in the NO-NAT could the same principle apply? as you can imagine the NO-NAT for this takes up a couple pages printed out.

Thanks!

Everyone's tags (2)
1 REPLY

Re: VPN Mesh ACL's

Hi,

To avoid any overlapping, it would be better to create an object-group with the 192.168.3.0 and 192.168.30.0 and then you can reference your ACL to the object-group.

This will greatly reduce the ACL.

Federico.

358
Views
0
Helpful
1
Replies
CreatePlease to create content