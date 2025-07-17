On This Page
Access Control List (ACL)
An Access Control List (ACL) is a list of permissions attached to an object, to filter or match switches packets. When the pattern is matched at the hardware lookup engine, a specified action (e.g. permit/deny) is applied. The rule fields represent flow characteristics such as source and destination addresses, protocol and VLAN ID.
ACL support currently allows actions of permit or deny rules, with or without mirroring, and supports only ingress direction. ACL search pattern can be taken from either L2 or L3 fields, e.g L2/L3 source and destination addresses, protocol, VLAN ID and priority or TCP port.
ACL is configured by the user and is applied to a port once the ACL search engine matches search criteria with a received packet.
To configure ACL:
Create a MAC / IPv4 ACL (access-list) entity. Run:
switch(config) mac access-list mac-acl
switch(config mac access-list mac-acl) #
Add a MAC / IP rules to the appropriate access-list. Run:
switch(config mac access-list mac-acl) # seq-number
10deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan
6cos
2protocol
80
Bind the created access-list to an interface (port or LAG). Run:
switch(config) #
interfaceethernet
1/
1
switch(config
interfaceethernet
1/
1) # mac port access-group mac-acl
An ACL action is a set of actions can be activated in case the packet hits the ACL rule.
To modify the VLAN tag of the egress traffic as part of the ACL “permit” rule:
Create access-list action profile:
Create an action access-list profile using the command “access-list action <action-profile-name>”.
Add rule to map a VLAN using the command “vlan-map <vlan-id>” within the action profile configuration mode.
Add action on a rule to strip the VLAN from a packet using the command “vlan-pop” within the action profile configuration mode.
Add action on a rule to append a VLAN to a packet using the command “vlan-push” within the action profile configuration mode.
Create an access-list and bind the action rule:
Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.
Add access list rule using the command “deny/permit” (“action <action profile name>”).
Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group”.
Create an action profile and add vlan mapping action:
switch(config)# access-list action my-action
switch(config access-list action my-action)# vlan-map
20
switch(config access-list action my-action)# exit Create an access list and bind rules:
switch(config)# mac access-list my-list
switch(config mac access-list my-list)# permit any any action my-action
switch(config mac access-list my-list)# exit Bind an access-list to a port:
switch(config)#
interfaceethernet
1/
1
switch(config
interfaceethernet
1/
1)# mac access-list my-list
To mirror traffic to the monitor session as part of the ACL “permit” rule"
Create access-list action profile:
Create an action access-list profile using the command “access-list action ”.
Add a rule to mirror traffic to monitor session using the command “monitor session” within the action profile configuration mode.
Create an access-list and bind the action rule:
Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.
Add access list rule using the command “deny/permit” (“action ”).
Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Create an action profile and add monitor mapping action:
switch(config)# access-list action my-action
switch(config access-list action my-action)# monitor session
1
switch(config access-list action my-action)# exit Create an access list and bind rules:
switch(config)# mac access-list my-list
switch(config mac access-list my-list)# permit any any vlan
10action my-action
switch(config mac access-list my-list)# exit Bind an access-list to a port:
switch(config)#
interfaceethernet
1/
1
switch(config
interfaceethernet
1/
1)# mac access-list my-list
switch(config
interfaceethernet
1/
1)# exit
A strong insight into the system is given by ACL logging. ACLs can log packets that pass through the switch, so the flows can later be analyzed.
A packet that hits an ACL with a log clause is passed to the logger. The logger writes the partial header of the packet (L2 or L3) to the syslog, with a timestamp and some additional information such as ingress interface and the VLAN to which the packet belongs.
To protect the system memory, a limited number of flows are collected for each time interval. If the number of flows for a specific time interval is exceeded, then no packets are logged for this time interval.
To further protect the system, a rate-limiter controls the number of packets passed to the CPU.
Only packets traversing the switch are logged. Packets that are passed to the CPU are not.
The following table summarizes the ACL capabilities supported by NVIDIA Onyx.
ACL Table
Policy
Protocol
Keys
Actions
Supported Interfaces (Ingress Bind Point Only)
MAC
Permit
Deny
Remark
N/A
DST MAC (with mask)
SRC MAC (with mask)
Protocol
CoS
VLAN-ID
VLAN-group
VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring
L2 port
LAG
MLAG
RIF
VLAN interface
IPv4
Permit
Deny
Remark
IP
DST IP (incl. subnets)
SRC IP (incl. subnets)
VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring
L2 port
LAG
MLAG
RIF
VLAN interface
TCP
DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
TCP flags
Establish flow
UDP
DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
TCP-UDP
DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
ICMP
DST IP (incl. subnets)
SRC IP (incl. subnets)
Code
Type
IPv6
Permit
Deny
Remark
IPv6
DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)
VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring
L2 port
LAG
MLAG
RIF
VLAN interface
TCP
DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
TCP flags
Establish flow
UDP
DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
TCP-UDP
DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
ICMPv6
DST IPv6 (incl. subnets)
SRC IPv6 (incl. subnets)
Code
Type
MAC-UDK
Permit
Deny
Remark
N/A
DST MAC (with mask)
SRC MAC (with mask)
Protocol
CoS
VLAN-ID
VLAN-group
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)
VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring
L2 port
LAG
MLAG
RIF
VLAN interface
IPv4-UDK
Permit
Deny
Remark
IP
DST IP (incl. subnets)
SRC IP (incl. subnets)
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)
VLAN map
VLAN pop
VLAN push
Counter per rule
Shared counter to rules
Log
Policer
Mirroring
L2 port
LAG
MLAG
RIF
VLAN interface
TCP
DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
TCP flags
Establish flow
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)
UDP
DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)
TCP-UDP
DST IP (incl. subnets)
SRC IP (incl. subnets)
L4 DST port (incl. range)
L4 SRC port (incl. range)
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)
ICMP
DST IP (incl. subnets)
SRC IP (incl. subnets)
Code
Type
UDK1 (up to 4 bytes)
UDK2 (up to 4 bytes)
UDK3 (up to 4 bytes)
UDK4 (up to 4 bytes)
*The maximum number of rules that can be configured per ACL type depends on the system resources utilized by the existing configuration. In order to reach the maximum number of rules, as defined in the table above, disable IP routing.
