[Edgecore SONiC] ACL (Access Control List) Follow
An access control list (ACL) is an access control list based on an access control matrix. Access control sequences consist of access control entries (ACEs).
Tested model & firmware version:
- Switch model name:
AS5835-54X
- Edgecore SONiC version:
202006.4
202012.2
Restriction:
- There is no SONiC command to add ACL rules.
- LAG's member port shall not be added to the ACL Tables or will be considered as invalid configuration and return fail.
- LAG ACL configurations will be automatically applied to all the LAG members.
- Control Plane ACL:
- Support services for SSH/SNMP.
- When the Control Plane ACL is running, the un-list service will be denied. i.e If the ACL table bind with SSH, SNMP will be denied.
- There is “deny any any” in last rules automatically.
- The ACL support tale show as bellow:
ACL
Procedure:
Step 1. Create an ACL table by CLI
admin@sonic:~$ sudo config acl add table --help
Usage: config acl add table [OPTIONS] <table_name> <table_type>
Add ACL table
Options:
-d, --description TEXT
-p, --ports TEXT
-s, --stage [ingress|egress]
-S, --services TEXT
-?, -h, --help Show this message and exit.
admin@sonic:~$ sudo config acl add table ACL_ETH0 L3 --description 'drop_1.0' --stage 'ingress' --ports 'Ethernet0'
Note:
- The "policy_desc" is a string about the description of ACL table.
- The "stage" is about the ACL direction.
- Ingress
- egress
- Support “table_type”:
- L3
- L3V6
- MIRROR(About the MIRROR, please refer to this article.)
- CTRLPLANE(refer to Service ACL)
Step 2. Check ACL table by SONiC command.
admin@sonic:~$ show acl table Name Type Binding Description -------- ------ --------- ------------- ACL_ETH0 L3 Ethernet0 drop_1.0
Step 3. Create the JSON file(ACE.json) for ACL rules and apply with command “config load”
admin@sonic:~$ sudo vi ACE.json { "ACL_RULE": { "ACL_ETH0|ACE_FORWARD": { "PACKET_ACTION": "FORWARD", "PRIORITY": "1", "IP_TYPE": "ANY" }, "ACL_ETH0|ACE_DROP": { "PACKET_ACTION": "DROP", "PRIORITY": "2", "SRC_IP": "192.168.1.10/32",
"L4_SRC_PORT": "53" } } }
admin@sonic:~$ sudo config load ACE.json -y
Note:
- Key "ACL_ETH0|ACE_FORWARD" and "ACL_ETH0|ACE_DROP" are the names of rules of ACL ACL_ETH0.
- If key "types" of ACL TABLE is L3 or L3V6,
- Key in ACL rule is "PACKET_ACTION"
- The value of "PACKET_ACTION" is FORWARD or DROP.
- If key "types" of ACL table is MIRROR,
- Key in ACL rule is "MIRROR_ACTION"
- The value of "MIRROR_ACTION" is the name of mirror session
- The number of priority is higher, it means priority is high.
Take the above example, the priority 2 will match first. - Here are the values for "IP_TYPE":
Caution: NON_IP, NON_IPv4, NON_IPv6 could not work now.ANY Filter IPv4, IPv6, Ether type IP Filter IPv4, IPv6 NON_IP Filter Ether type only IPV4ANY Filter IPv4 only NON_IPv4 Filter IPv6, Ether type IPV6ANY Filter IPv6 only NON_IPv6 Filter IPv4, Ether type ARP Filter ARP request, reply ARP_REQUEST Filter ARP request only ARP_REPLY Filter ARP reply only - Other keys(parameters):
- DST_IP example: "DST_IP": "192.168.1.10/32"
- SRC_IPV6 example: "SRC_IPV6": "2001::db:1"
Caution: The type of the ACL table should be modified to "L3V6" - DST_IPV6 example: "DST_IPV6": "2001::db:2"
Caution: The type of the ACL table should be modified to "L3V6" - ETHER_TYPE example: "ETHER_TYPE": "0x842" or "ETHER_TYPE": "2114"
- L4_SRC_PORT example: "L4_SRC_PORT": "53"
- L4_DST_PORT example: "L4_DST_PORT": "53"
- IP_PROTOCOL example: "IP_PROTOCOL": "1"
- L4_SRC_PORT_RANGE example: "L4_SRC_PORT_RANGE": "1028-4096"
- L4_DST_PORT_RANGE example: "L4_DST_PORT_RANGE": "1028-4096"
- ICMP_TYPE example: "ICMP_TYPE": "0"
- ICMPV6_TYPE example: "ICMPV6_TYPE": "128"
Caution: The type of the ACL table should be modified to "L3V6" - TCP_FLAGS example: "TCP_FLAGS": "16/255"
Note:
FIN = 0x01 "TCP_FLAGS": "1/255"
SYN = 0x02 "TCP_FLAGS": "2/255"
RST = 0x04 "TCP_FLAGS": "4/255"
PSH = 0x08 "TCP_FLAGS": "8/255"
ACK = 0x10 "TCP_FLAGS": "16/255"
URG = 0x20 "TCP_FLAGS": "32/255"
ECE = 0x40 "TCP_FLAGS": "64/255"
CWR = 0x80 "TCP_FLAGS": "128/255"
Step 4. Check ACL rules by SONiC command
admin@sonic:~$ show acl rule Table Rule Priority Action Match -------- ----------- ---------- -------- ----------------------- ACL_ETH0 ACE_DROP 2 DROP L4_SRC_PORT: 53 SRC_IP: 192.168.1.10/32 ACL_ETH0 ACE_FORWARD 1 FORWARD IP_TYPE: ANY
Control Plane ACL
Procedure:
Step 1. Create an Service ACL table by CLI
admin@sonic:~$ sudo config acl add table CTRL CTRLPLANE --help
Usage: config acl add table [OPTIONS] <table_name> <table_type>
Add ACL table
Options:
-d, --description TEXT
-p, --ports TEXT
-s, --stage [ingress|egress]
-S, --services TEXT
-?, -h, --help Show this message and exit.
admin@sonic:~$
admin@sonic:~$ sudo config acl add table CTRL CTRLPLANE --description “CTRLPANE ACL” --services “SSH,SNMP”
Note. In 202006 branch, the service ACL table do not have CLI. Please create a JSON file and apply by “config load”
admin@sonic:~$sudo vi service_table.json
{
“ACL_TABLE”: {
“CTRL”: {
“policy_desc”: “CTRLPLANE ACL”,
“services”: [
“SSH”,
“SNMP”
],
“type”: “CTRLPLANE”
}
}
}
admin@sonic:~$ sudo config load service_table.json -y
Step 2. Check ACL table by SONiC command.
admin@sonic:~$ show acl table
Name Type Binding Description Stage
------ --------- --------- ------------- -------
CTRL CTRLPLANE SNMP CTRLPANE ACL ingress
SSH
Step 3. Create the JSON file(CTRL_ACE.json) for ACL rules and apply with command “config load”
admin@sonic:~$ sudo vi CTRL_ACE.json { "ACL_RULE": { "CTRL|ACE_ACCEPT": { "PACKET_ACTION": "ACCEPT", "PRIORITY": "2", "SRC_IP": "192.168.1.10/32" } } }
admin@sonic:~$ sudo config load CTRL_ACE.json -y
Step 4. Check ACL rules by SONiC command
admin@sonic:~$ show acl rule
Table Rule Priority Action Match
------- ----------- ---------- -------- ------------------------
CTRL ACE_ACCEPT 2 ACCEPT SRC_IP: 192.168.1.10/32
Comments
0 comments
Please sign in to leave a comment.