An Access Control List (ACL) is a list of permissions attached to an object, to filter or match switches packets. When the pattern is matched at the hardware lookup engine, a specified action (e.g. permit/deny) is applied. The rule fields represent flow characteristics such as source and destination addresses, protocol and VLAN ID.
ACL support currently allows actions of permit or deny rules, with or without mirroring, and supports only ingress direction. ACL search pattern can be taken from either L2 or L3 fields, e.g L2/L3 source and destination addresses, protocol, VLAN ID and priority or TCP port.
ACL is configured by the user and is applied to a port once the ACL search engine matches search criteria with a received packet.
To configure ACL:
Create a MAC / IPv4 ACL (access-list) entity. Run:
switch(config) mac access-list mac-aclswitch(config mac access-list mac-acl) #Add a MAC / IP rules to the appropriate access-list. Run:
switch(config mac access-list mac-acl) # seq-number10deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan6cos2protocol80Bind the created access-list to an interface (port or LAG). Run:
switch(config) #interfaceethernet1/1switch(configinterfaceethernet1/1) # mac port access-group mac-acl
An ACL action is a set of actions can be activated in case the packet hits the ACL rule.
To modify the VLAN tag of the egress traffic as part of the ACL “permit” rule:
Create access-list action profile:
Create an action access-list profile using the command “access-list action <action-profile-name>”.
Add rule to map a VLAN using the command “vlan-map <vlan-id>” within the action profile configuration mode.
Add action on a rule to strip the VLAN from a packet using the command “vlan-pop” within the action profile configuration mode.
Add action on a rule to append a VLAN to a packet using the command “vlan-push” within the action profile configuration mode.
Create an access-list and bind the action rule:
Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.
Add access list rule using the command “deny/permit” (“action <action profile name>”).
Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group”.
Create an action profile and add vlan mapping action:
switch(config)# access-list action my-actionswitch(config access-list action my-action)# vlan-map20switch(config access-list action my-action)# exit Create an access list and bind rules:switch(config)# mac access-list my-listswitch(config mac access-list my-list)# permit any any action my-actionswitch(config mac access-list my-list)# exit Bind an access-list to a port:switch(config)#interfaceethernet1/1switch(configinterfaceethernet1/1)# mac access-list my-list
To mirror traffic to the monitor session as part of the ACL “permit” rule"
Create access-list action profile:
Create an action access-list profile using the command “access-list action ”.
Add a rule to mirror traffic to monitor session using the command “monitor session” within the action profile configuration mode.
Create an access-list and bind the action rule:
Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.
Add access list rule using the command “deny/permit” (“action ”).
Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Create an action profile and add monitor mapping action:
switch(config)# access-list action my-actionswitch(config access-list action my-action)# monitor session1switch(config access-list action my-action)# exit Create an access list and bind rules:switch(config)# mac access-list my-listswitch(config mac access-list my-list)# permit any any vlan10action my-actionswitch(config mac access-list my-list)# exit Bind an access-list to a port:switch(config)#interfaceethernet1/1switch(configinterfaceethernet1/1)# mac access-list my-listswitch(configinterfaceethernet1/1)# exit
A strong insight into the system is given by ACL logging. ACLs can log packets that pass through the switch, so the flows can later be analyzed.
A packet that hits an ACL with a log clause is passed to the logger. The logger writes the partial header of the packet (L2 or L3) to the syslog, with a timestamp and some additional information such as ingress interface and the VLAN to which the packet belongs.
To protect the system memory, a limited number of flows are collected for each time interval. If the number of flows for a specific time interval is exceeded, then no packets are logged for this time interval.
To further protect the system, a rate-limiter controls the number of packets passed to the CPU.
Only packets traversing the switch are logged. Packets that are passed to the CPU are not.
The following table summarizes the ACL capabilities supported by NVIDIA Onyx.
ACL Table | Policy | Protocol | Keys | Actions | Supported Interfaces (Ingress Bind Point Only) |
MAC | Permit | N/A | DST MAC (with mask) | VLAN map | L2 port |
IPv4 | Permit | IP | DST IP (incl. subnets) | VLAN map | L2 port |
TCP | DST IP (incl. subnets) | ||||
UDP | DST IP (incl. subnets) | ||||
TCP-UDP | DST IP (incl. subnets) | ||||
ICMP | DST IP (incl. subnets) | ||||
IPv6 | Permit | IPv6 | DST IPv6 (incl. subnets) | VLAN map | L2 port |
TCP | DST IPv6 (incl. subnets) | ||||
UDP | DST IPv6 (incl. subnets) | ||||
TCP-UDP | DST IPv6 (incl. subnets) | ||||
ICMPv6 | DST IPv6 (incl. subnets) | ||||
MAC-UDK | Permit | N/A | DST MAC (with mask) | VLAN map | L2 port |
IPv4-UDK | Permit | IP | DST IP (incl. subnets) | VLAN map | L2 port |
TCP | DST IP (incl. subnets) | ||||
UDP | DST IP (incl. subnets) | ||||
TCP-UDP | DST IP (incl. subnets) | ||||
ICMP | DST IP (incl. subnets) |
*The maximum number of rules that can be configured per ACL type depends on the system resources utilized by the existing configuration. In order to reach the maximum number of rules, as defined in the table above, disable IP routing.
For more information about this feature and its potential applications, please refer to the following community post: