ACL (Access Control List) Follow
Example: ACL
Restriction:
- There is no SONiC command to add ACL table and rules.
- LAG's member port shall not be added to the ACL Tables, or will be considered as invalid configuration and return fail.
- LAG ACL configurations will be automatically applied to all the LAG members.
- ACL table "CTRLPLANE" will affect all of the ports (front port + MGMT port)
- There's an issue for ACL table "services", no matter the "services" you set SSH or SNMP, all of SSH, SNMP packets will be blocked.
Reference model:
- Switch model name: All
- Edgecore SONiC version: SONiC.Edgecore-SONiC_20201123_130028_ec202006_74
Procedure :
Step 1: Create an ACL table on config_db.json
admin@sonic:/etc/sonic$ sudo vi config_db.json { ... "ACL_TABLE": { "ACL_ETH0": { "policy_desc": "drop_1.0", "ports": [ "Ethernet0" ], "stage": "ingress", "type": "L3" } }, ... }
Note:
- ACL_ETH0 is name of this ACL
- Key "policy_desc" is for description. Value of policy_desc is JSON string "drop_1.0"
- Value of ports is JSON array consist of name of physical interface, LAG or VLAN interface. e.g
-
"ports": ["Ethernet0", "Ethernet1"]
-
"ports": ["Vlan10"]
-
- Key "stage" is for ACL direction. The value is "ingress" or "egress".
- Key "types" is the type of ACL. SONiC supports 4 types: L3, L3V6, CTRLPLANE, and MIRROR. (About the MIRROR, please refer to this article.)
-
Key "types" is CTRLPLANE, the "ports" should be replaced to the "services".
"services" support 2 types: SSH, SNMP
Caution: there's a known issue about Restriction 5, no matter the "services" you set SSH or SNMP, all of SSH, SNMP packets will be blocked. -
{
…
"ACL_TABLE": {
"ACL_ETH0": {
"policy_desc": "drop",
"services": [
"SSH"
],
"stage": "ingress"
"type": "CTRLPLANE"
}
},
…
}
-
Step 2: Reload config and check ACL table by SONiC command.
admin@sonic:~$ sudo config reload -y
...omitted
admin@sonic:~$ show acl table Name Type Binding Description -------- ------ --------- ------------- ACL_ETH0 L3 Ethernet0 drop_1.0
Step 3: Create ACL rules on config_db.json
admin@sonic:/etc/sonic$ sudo vi config_db.json { ... "ACL_RULE": { "ACL_ETH0|ACE_FORWARD": { "PACKET_ACTION": "FORWARD", "PRIORITY": "1", "IP_TYPE": "ANY" }, "ACL_ETH0|ACE_DROP": { "PACKET_ACTION": "DROP", "PRIORITY": "2", "SRC_IP": "192.168.1.10/32",
"L4_SRC_PORT": "53" } }, ... }
Note:
- Key "ACL_ETH0|ACE_FORWARD" and "ACL_ETH0|ACE_DROP" are the names of rules of ACL ACL_ETH0.
- If key "types" of ACL TABLE is L3 or L3V6, CTRLPLANE
- Key in ACL rule is "PACKET_ACTION"
- The value of "PACKET_ACTION" is FORWARD or DROP.
- If key "types" of ACL table is MIRROR,
- Key in ACL rule is "MIRROR_ACTION"
- The value of "MIRROR_ACTION" is the name of mirror session
- The number of priority is higher, it means priority is high.
Take the above example, the priority 2 will match first. - Here are the values for "IP_TYPE":
ANY Filter IPv4, IPv6, Ether type IP Filter IPv4, IPv6 NON_IP Filter Ether type only IPV4ANY Filter IPv4 only NON_IPv4 Filter IPv6, Ether type IPV6ANY Filter IPv6 only NON_IPv6 Filter IPv4, Ether type ARP Filter ARP request, reply ARP_REQUEST Filter ARP request only ARP_REPLY Filter ARP reply only - Other keys(parameters):
- DST_IP example: "DST_IP": "192.168.1.10/32"
- SRC_IPV6 example: "SRC_IPV6": "2001::db:1"
Caution: The type of the ACL table should be modified to "L3V6" - DST_IPV6 example: "DST_IPV6": "2001::db:2"
Caution: The type of the ACL table should be modified to "L3V6" - ETHER_TYPE example: "ETHER_TYPE": "0x842" or "ETHER_TYPE": "2114"
- L4_SRC_PORT example: "L4_SRC_PORT": "53"
- L4_DST_PORT example: "L4_DST_PORT": "53"
- IP_PROTOCOL example: "IP_PROTOCOL": "1"
- L4_SRC_PORT_RANGE example: "L4_SRC_PORT_RANGE": "1028-4096"
- L4_DST_PORT_RANGE example: "L4_DST_PORT_RANGE": "1028-4096"
- ICMP_TYPE example: "ICMP_TYPE": "0"
- ICMPV6_TYPE example: "ICMPV6_TYPE": "128"
Caution: The type of the ACL table should be modified to "L3V6" - TCP_FLAGS example: "TCP_FLAGS": "16/255"
Note:
FIN = 0x01 "TCP_FLAGS": "1/255"
SYN = 0x02 "TCP_FLAGS": "2/255"
RST = 0x04 "TCP_FLAGS": "4/255"
PSH = 0x08 "TCP_FLAGS": "8/255"
ACK = 0x10 "TCP_FLAGS": "16/255"
URG = 0x20 "TCP_FLAGS": "32/255"
ECE = 0x40 "TCP_FLAGS": "64/255"
CWR = 0x80 "TCP_FLAGS": "128/255"
Step 4. Check ACL rules by SONiC command
admin@sonic:~$ sudo config reload -y
...omitted
admin@sonic:~$ show acl rule Table Rule Priority Action Match -------- ----------- ---------- -------- ----------------------- ACL_ETH0 ACE_DROP 2 DROP L4_SRC_PORT: 53 SRC_IP: 192.168.1.10/32 ACL_ETH0 ACE_FORWARD 1 FORWARD IP_TYPE: ANY
Comments
0 comments
Please sign in to leave a comment.