image image image image image

On This Page

An Access Control List (ACL) is a list of permissions attached to an object, to filter or match switches packets. When the pattern is matched at the hardware lookup engine, a specified action (e.g. permit/deny) is applied. The rule fields represent flow characteristics such as source and destination addresses, protocol and VLAN ID.

ACL support currently allows actions of permit or deny rules, with or without mirroring, and supports only ingress direction. ACL search pattern can be taken from either L2 or L3 fields, e.g L2/L3 source and destination addresses, protocol, VLAN ID and priority or TCP port.

Configuring ACL

ACL is configured by the user and is applied to a port once the ACL search engine matches search criteria with a received packet.

To configure ACL: 

  1. Create a MAC / IPv4 ACL (access-list) entity. Run: 

    switch (config) mac access-list mac-acl
switch (config mac access-list mac-acl) #

  2. Add a MAC / IP rules to the appropriate access-list. Run:

    switch (config mac access-list mac-acl) # seq-number 10 deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80

  3. Bind the created access-list to an interface (port or LAG). Run:

    switch (config) # interface ethernet 1/1
switch (config interface ethernet 1/1) # mac port access-group mac-acl

ACL Actions

An ACL action is a set of actions can be activated in case the packet hits the ACL rule. 

To modify the VLAN tag of the egress traffic as part of the ACL “permit” rule:

  1. Create access-list action profile:
    1. Create an action access-list profile using the command “access-list action <action-profile-name>”.
    2. Add rule to map a VLAN using the command “vlan-map <vlan-id>” within the action profile configuration mode.
    3. Add action on a rule to strip the VLAN from a packet using the command “vlan-pop” within the action profile configuration mode.
    4. Add action on a rule to append a VLAN to a packet using the command “vlan-push” within the action profile configuration mode.
  2. Create an access-list and bind the action rule:
    1. Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.
    2. Add access list rule using the command “deny/permit” (“action <action profile name>”).

  3. Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group”. 

    Create an action profile and add vlan mapping action:
switch (config)# access-list action my-action
switch (config access-list action my-action)# vlan-map 20
switch (config access-list action my-action)# exit

Create an access list and bind rules:
switch (config)# mac access-list my-list
switch (config mac access-list my-list)# permit any any action my-action
switch (config mac access-list my-list)# exit

Bind an access-list to a port:
switch (config)# interface ethernet 1/1
switch (config interface ethernet 1/1)# mac access-list my-list

To mirror traffic to the monitor session as part of the ACL “permit” rule"

  1. Create access-list action profile:
    1. Create an action access-list profile using the command “access-list action ”.
    2. Add a rule to mirror traffic to monitor session using the command “monitor session” within the action profile configuration mode.
  2. Create an access-list and bind the action rule:
    1. Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.
    2. Add access list rule using the command “deny/permit” (“action ”).

  3. Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

    Create an action profile and add monitor mapping action:
switch (config)# access-list action my-action
switch (config access-list action my-action)# monitor session 1
switch (config access-list action my-action)# exit

Create an access list and bind rules:
switch (config)# mac access-list my-list
switch (config mac access-list my-list)# permit any any vlan 10 action my-action
switch (config mac access-list my-list)# exit

Bind an access-list to a port:
switch (config)# interface ethernet 1/1
switch (config interface ethernet 1/1)# mac access-list my-list
switch (config interface ethernet 1/1)# exit

ACL Logging

A strong insight into the system is given by ACL logging. ACLs can log packets that pass through the switch, so the flows can later be analyzed.

A packet that hits an ACL with a log clause is passed to the logger. The logger writes the partial header of the packet (L2 or L3) to the syslog, with a timestamp and some additional information such as ingress interface and the VLAN to which the packet belongs.

To protect the system memory, a limited number of flows are collected for each time interval. If the number of flows for a specific time interval is exceeded, then no packets are logged for this time interval.

To further protect the system, a rate-limiter controls the number of packets passed to the CPU.

Only packets traversing the switch are logged. Packets that are passed to the CPU are not.

ACL Capability Summary 

The following table summarizes the ACL capabilities supported by NVIDIA Onyx.

ACL TablePolicyProtocolKeysActionsSupported Interfaces (Ingress Bind Point Only)
MAC

Permit
Deny
Remark

N/A

DST MAC (with mask)
SRC MAC (with mask)
Protocol
CoS
VLAN-ID
VLAN-group

VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring

L2 port
LAG
MLAG
RIF
VLAN interface

IPv4

Permit
Deny
Remark

IP

DST IP (incl. subnets)
SRC IP (incl. subnets)

VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring

L2 port
LAG
MLAG
RIF
VLAN interface

TCP

DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
TCP flags
Establish flow

UDP

DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)

TCP-UDP

DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)

ICMP

DST IP (incl. subnets)
SRC IP (incl. subnets)
Code
Type

IPv6

Permit
Deny
Remark

IPv6

DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)

VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring

L2 port
LAG
MLAG
RIF
VLAN interface

TCP

DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
TCP flags
Establish flow

UDP

DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)

TCP-UDP

DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)

ICMPv6

DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)
Code
Type

MAC-UDK

Permit
Deny
Remark

N/A

DST MAC (with mask)
SRC MAC (with mask)
Protocol
CoS
VLAN-ID
VLAN-group
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)

VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring

L2 port
LAG
MLAG
RIF
VLAN interface

IPv4-UDK

Permit
Deny
Remark

IP

DST IP (incl. subnets)
SRC IP (incl. subnets)
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)

VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring

L2 port
LAG
MLAG
RIF
VLAN interface

TCP

DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
TCP flags
Establish flow
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)

UDP

DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)

TCP-UDP

DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)

ICMP

DST IP (incl. subnets)
SRC IP (incl. subnets)
Code
Type
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)

*The maximum number of rules that can be configured per ACL type depends on the system resources utilized by the existing configuration. In order to reach the maximum number of rules, as defined in the table above, disable IP routing.


Additional Readings and Use Cases

For more information about this feature and its potential applications, please refer to the following community post:


ACL Commands