ACL (Access Control List) Follow
Reference model:
- Switch model name:
- AS7726-32X
- AS7326-56X
- AS7816-64X
- AS5835-54X(T)
- AS4630-54PE
- AS9716-32D
- AS8000(Minipack)
- Wedge100BF-32X
- Edgecore SONiC version:
- Edgecore-SONiC_20201123_130028_ec202006_74
- Edgecore-SONiC_20201229_070315_ec202006_101
- Edgecore-SONiC_20201229_070315_ec202006_bfn_65(Wedge100BF-32X)
Restriction:
- There is no SONiC command to add ACL table and rules.
- LAG's member port shall not be added to the ACL Tables, or will be considered as invalid configuration and return fail.
- LAG ACL configurations will be automatically applied to all the LAG members.
- There's a point for the ACL table must be careful. When you set the type to "CTRLPLANE", there's a default ACE called "deny any".
Reference model:
- Switch model name: All
- Edgecore SONiC version: SONiC.Edgecore-SONiC_20201123_130028_ec202006_74
Procedure :
Step 1: Create an ACL table on config_db.json
admin@sonic:/etc/sonic$ sudo vi config_db.json { ... "ACL_TABLE": { "ACL_ETH0": { "policy_desc": "drop_1.0", "ports": [ "Ethernet0" ], "stage": "ingress", "type": "L3" } }, ... }
Note:
- ACL_ETH0 is name of this ACL
- Key "policy_desc" is for description. Value of policy_desc is JSON string "drop_1.0"
- Value of ports is JSON array consist of name of physical interface, LAG or VLAN interface. e.g
-
"ports": ["Ethernet0", "Ethernet1"] -
"ports": ["Vlan10"]
-
- Key "stage" is for ACL direction. The value is "ingress" or "egress".
- Key "types" is the type of ACL. SONiC supports 4 types: L3, L3V6, CTRLPLANE, and MIRROR. (About the MIRROR, please refer to this article.)
-
Key "types" is CTRLPLANE, the "ports" should be replaced to the "services".
"services" support 2 types: SSH, SNMP -
{
…
"ACL_TABLE": {
"ACL_ETH0": {
"policy_desc": "drop",
"services": [
"SSH"
],
"stage": "ingress"
"type": "CTRLPLANE"
}
},
…
}
-
Step 2: Reload config and check ACL table by SONiC command.
admin@sonic:~$ sudo config reload -y
...omitted
admin@sonic:~$ show acl table Name Type Binding Description -------- ------ --------- ------------- ACL_ETH0 L3 Ethernet0 drop_1.0
Step 3: Create ACL rules on config_db.json
admin@sonic:/etc/sonic$ sudo vi config_db.json { ... "ACL_RULE": { "ACL_ETH0|ACE_FORWARD": { "PACKET_ACTION": "FORWARD", "PRIORITY": "1", "IP_TYPE": "ANY" }, "ACL_ETH0|ACE_DROP": { "PACKET_ACTION": "DROP", "PRIORITY": "2", "SRC_IP": "192.168.1.10/32",
"L4_SRC_PORT": "53" } }, ... }
Note:
- Key "ACL_ETH0|ACE_FORWARD" and "ACL_ETH0|ACE_DROP" are the names of rules of ACL ACL_ETH0.
- If key "types" of ACL TABLE is L3 or L3V6, CTRLPLANE
- Key in ACL rule is "PACKET_ACTION"
- The value of "PACKET_ACTION" is FORWARD or DROP.
- If key "types" of ACL table is MIRROR,
- Key in ACL rule is "MIRROR_ACTION"
- The value of "MIRROR_ACTION" is the name of mirror session
- If key "types" of ACL TABLE is CTRLPLANE
- Key in ACL rule is "PACKET_ACTION"
-
The value of "PACKET_ACTION" is ACCEPT or DROP.
Caution: Here's the restriction 4 must be careful.
Example: In the subnet "188.188.0.0/16", I want to deny the IP 188.188.36.36.
Since there's the default ACE "deny any any", you need to add ACE for allowing others IP.
Or all of the packets will be dropped by the default ACE.
And don't forget to add SNMP to "services, or the SNMP packet will be dropped by the default ACE, too. -
"ACL_RULE": {
"ACL_MGMT|SSH_DROP": {
"PACKET_ACTION": "DROP",
"PRIORITY": "2",
"SRC_IP": "188.188.36.36/32"
},
"ACL_MGMT|SSH_FORWARD": {
"PACKET_ACTION": "ACCEPT",
"PRIORITY": "1",
"SRC_IP": "188.188.0.0/16"
}
},
"ACL_TABLE": {
"ACL_MGMT": {
"policy_desc": "drop_MGMT",
"services": [
"SSH", "SNMP"
],
"stage": "ingress",
"type": "CTRLPLANE"
}
},
- The number of priority is higher, it means priority is high.
Take the above example, the priority 2 will match first. - Here are the values for "IP_TYPE":
Caution: NON_IP, NON_IPv4, NON_IPv6 could not work now.ANY Filter IPv4, IPv6, Ether type IP Filter IPv4, IPv6 NON_IP Filter Ether type only IPV4ANY Filter IPv4 only NON_IPv4 Filter IPv6, Ether type IPV6ANY Filter IPv6 only NON_IPv6 Filter IPv4, Ether type ARP Filter ARP request, reply ARP_REQUEST Filter ARP request only ARP_REPLY Filter ARP reply only - Other keys(parameters):
- DST_IP example: "DST_IP": "192.168.1.10/32"
- SRC_IPV6 example: "SRC_IPV6": "2001::db:1"
Caution: The type of the ACL table should be modified to "L3V6" - DST_IPV6 example: "DST_IPV6": "2001::db:2"
Caution: The type of the ACL table should be modified to "L3V6" - ETHER_TYPE example: "ETHER_TYPE": "0x842" or "ETHER_TYPE": "2114"
- L4_SRC_PORT example: "L4_SRC_PORT": "53"
- L4_DST_PORT example: "L4_DST_PORT": "53"
- IP_PROTOCOL example: "IP_PROTOCOL": "1"
- L4_SRC_PORT_RANGE example: "L4_SRC_PORT_RANGE": "1028-4096"
- L4_DST_PORT_RANGE example: "L4_DST_PORT_RANGE": "1028-4096"
- ICMP_TYPE example: "ICMP_TYPE": "0"
- ICMPV6_TYPE example: "ICMPV6_TYPE": "128"
Caution: The type of the ACL table should be modified to "L3V6" - TCP_FLAGS example: "TCP_FLAGS": "16/255"
Note:
FIN = 0x01 "TCP_FLAGS": "1/255"
SYN = 0x02 "TCP_FLAGS": "2/255"
RST = 0x04 "TCP_FLAGS": "4/255"
PSH = 0x08 "TCP_FLAGS": "8/255"
ACK = 0x10 "TCP_FLAGS": "16/255"
URG = 0x20 "TCP_FLAGS": "32/255"
ECE = 0x40 "TCP_FLAGS": "64/255"
CWR = 0x80 "TCP_FLAGS": "128/255"
Step 4. Check ACL rules by SONiC command
admin@sonic:~$ sudo config reload -y
...omitted
admin@sonic:~$ show acl rule Table Rule Priority Action Match -------- ----------- ---------- -------- ----------------------- ACL_ETH0 ACE_DROP 2 DROP L4_SRC_PORT: 53 SRC_IP: 192.168.1.10/32 ACL_ETH0 ACE_FORWARD 1 FORWARD IP_TYPE: ANY
Comments
0 comments
Please sign in to leave a comment.