Menu

ACL (Access Control List) Follow

Avatar
shark_huang 黃昭穎
  • Updated

Example: ACL

Restriction:

  1. There is no SONiC command to add ACL table and rules.
  2. LAG's member port shall not be added to the ACL Tables, or will be considered as invalid configuration and return fail.
  3. LAG ACL configurations will be automatically applied to all the LAG members.
  4. ACL table "CTRLPLANE" will affect all of the ports (front port + MGMT port)
  5. There's an issue for ACL table "services", no matter the "services" you set SSH or SNMP, all of SSH, SNMP packets will be blocked.

Reference model:

  • Switch model name: All
  • Edgecore SONiC version: SONiC.Edgecore-SONiC_20201123_130028_ec202006_74

Procedure :

Step 1: Create an ACL table on config_db.json

admin@sonic:/etc/sonic$ sudo vi config_db.json         
{
    ...
    "ACL_TABLE": {
        "ACL_ETH0": {
            "policy_desc": "drop_1.0",
            "ports": [
                "Ethernet0"
            ],
            "stage": "ingress",
            "type": "L3"
        }
    },
    ...
}

Note:

  • ACL_ETH0 is name of this ACL
  • Key "policy_desc" is for description. Value of policy_desc is JSON string "drop_1.0"
  • Value of ports is JSON array consist of name of physical interface, LAG or VLAN interface.  e.g 
    • "ports": ["Ethernet0", "Ethernet1"]
    • "ports": ["Vlan10"]
  • Key "stage" is for ACL direction.  The value is "ingress" or "egress".
  • Key "types" is the type of ACL. SONiC supports 4 types: L3, L3V6, CTRLPLANE, and MIRROR. (About the MIRROR, please refer to this article.)

    • Key "types" is CTRLPLANE, the "ports" should be replaced to the "services".
      "services" support 2 types:       SSH, SNMP
      Caution: there's a known issue about Restriction 5, no matter the "services" you set SSH or SNMP, all of SSH, SNMP packets will be blocked.

    • {
      …   
      "ACL_TABLE": {
              "ACL_ETH0": {
                  "policy_desc": "drop",
                  "services": [
                          "SSH"
                  ],
                  "stage": "ingress"
                  "type": "CTRLPLANE"
              }
          },

      }

Step 2: Reload config and check ACL table by SONiC command. 

admin@sonic:~$ sudo config reload -y
...omitted
admin@sonic:~$ show acl table 
Name      Type    Binding    Description
--------  ------  ---------  -------------
ACL_ETH0  L3      Ethernet0  drop_1.0

   Step 3: Create ACL rules on config_db.json

admin@sonic:/etc/sonic$ sudo vi config_db.json         
{
    ...
    "ACL_RULE": {
        "ACL_ETH0|ACE_FORWARD": {
            "PACKET_ACTION": "FORWARD",
            "PRIORITY": "1",
            "IP_TYPE": "ANY"
     },
        "ACL_ETH0|ACE_DROP": {
            "PACKET_ACTION": "DROP",
            "PRIORITY": "2",
            "SRC_IP": "192.168.1.10/32",
            "L4_SRC_PORT": "53"
        }
    },
    ...
}

Note:

  • Key "ACL_ETH0|ACE_FORWARD" and "ACL_ETH0|ACE_DROP" are the names of rules of ACL ACL_ETH0. 
  • If key "types" of ACL TABLE is L3 or L3V6, CTRLPLANE
    • Key in ACL rule is "PACKET_ACTION"
    • The value of "PACKET_ACTION" is FORWARD or DROP.
  • If key "types" of ACL table is MIRROR,
    • Key in ACL rule is "MIRROR_ACTION"
    • The value of "MIRROR_ACTION" is the name of mirror session
  • The number of priority is higher, it means priority is high.
    Take the above example, the priority 2 will match first.
  • Here are the values for "IP_TYPE": 
    ANY Filter IPv4, IPv6, Ether type
    IP Filter IPv4, IPv6
    NON_IP Filter Ether type only
    IPV4ANY Filter IPv4 only
    NON_IPv4 Filter IPv6, Ether type
    IPV6ANY Filter IPv6 only
    NON_IPv6 Filter IPv4, Ether type
    ARP Filter ARP request, reply
    ARP_REQUEST Filter ARP request only
    ARP_REPLY Filter ARP reply only
    Caution: NON_IP, NON_IPv4, NON_IPv6 could not work now.
  • Other keys(parameters):
  1. DST_IP example: "DST_IP": "192.168.1.10/32"
  2. SRC_IPV6 example: "SRC_IPV6": "2001::db:1"
    Caution: The type of the ACL table should be modified to "L3V6"
  3. DST_IPV6 example: "DST_IPV6": "2001::db:2"
    Caution: The type of the ACL table should be modified to "L3V6"
  4. ETHER_TYPE example:  "ETHER_TYPE": "0x842" or "ETHER_TYPE": "2114" 
  5. L4_SRC_PORT example: "L4_SRC_PORT": "53" 
  6. L4_DST_PORT example: "L4_DST_PORT": "53" 
  7. IP_PROTOCOL example: "IP_PROTOCOL": "1"
  8. L4_SRC_PORT_RANGE example: "L4_SRC_PORT_RANGE": "1028-4096"
  9. L4_DST_PORT_RANGE example: "L4_DST_PORT_RANGE": "1028-4096"
  10. ICMP_TYPE example: "ICMP_TYPE": "0"
  11. ICMPV6_TYPE example: "ICMPV6_TYPE": "128"
    Caution: The type of the ACL table should be modified to "L3V6"
  12. TCP_FLAGS example: "TCP_FLAGS": "16/255"
    Note:
    FIN =   0x01     "TCP_FLAGS": "1/255"
    SYN = 0x02      "TCP_FLAGS": "2/255"
    RST = 0x04      "TCP_FLAGS": "4/255"
    PSH = 0x08      "TCP_FLAGS": "8/255"
    ACK = 0x10      "TCP_FLAGS": "16/255"
    URG = 0x20     "TCP_FLAGS": "32/255"
    ECE = 0x40      "TCP_FLAGS": "64/255"
    CWR = 0x80     "TCP_FLAGS": "128/255"                 

Step 4. Check ACL rules by SONiC command

admin@sonic:~$ sudo config reload -y
...omitted
admin@sonic:~$ show acl rule                                                                                                                
Table     Rule         Priority    Action    Match
--------  -----------  ----------  --------  -----------------------
ACL_ETH0  ACE_DROP     2           DROP      L4_SRC_PORT: 53
                                             SRC_IP: 192.168.1.10/32
ACL_ETH0  ACE_FORWARD  1           FORWARD   IP_TYPE: ANY

Related articles

Comments

0 comments

Please sign in to leave a comment.

Articles in this section