Access Control List (ACL)
An Access Control List (ACL) is a list of permissions attached to an object, to filter or match switches packets. When the pattern is matched at the hardware lookup engine, a specified action (e.g. permit/deny) is applied. The rule fields represent flow characteristics such as source and destination addresses, protocol and VLAN ID.
ACL support currently allows actions of permit or deny rules, with or without mirroring, and supports only ingress direction. ACL search pattern can be taken from either L2 or L3 fields, e.g L2/L3 source and destination addresses, protocol, VLAN ID and priority or TCP port.
ACL is configured by the user and is applied to a port once the ACL search engine matches search criteria with a received packet.
To configure ACL:
Create a MAC / IPv4 ACL (access-list) entity. Run:
switch
(config) mac access-list mac-aclswitch
(config mac access-list mac-acl) #Add a MAC / IP rules to the appropriate access-list. Run:
switch
(config mac access-list mac-acl) # seq-number10
deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan6
cos2
protocol80
Bind the created access-list to an interface (port or LAG). Run:
switch
(config) #interface
ethernet1
/1
switch
(configinterface
ethernet1
/1
) # mac port access-group mac-acl
An ACL action is a set of actions can be activated in case the packet hits the ACL rule.
To modify the VLAN tag of the egress traffic as part of the ACL “permit” rule:
Create access-list action profile:
Create an action access-list profile using the command “access-list action <action-profile-name>”.
Add rule to map a VLAN using the command “vlan-map <vlan-id>” within the action profile configuration mode.
Add action on a rule to strip the VLAN from a packet using the command “vlan-pop” within the action profile configuration mode.
Add action on a rule to append a VLAN to a packet using the command “vlan-push” within the action profile configuration mode.
Create an access-list and bind the action rule:
Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.
Add access list rule using the command “deny/permit” (“action <action profile name>”).
Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group”.
Create an action profile and add vlan mapping action:
switch
(config)# access-list action my-actionswitch
(config access-list action my-action)# vlan-map20
switch
(config access-list action my-action)# exit Create an access list and bind rules:switch
(config)# mac access-list my-listswitch
(config mac access-list my-list)# permit any any action my-actionswitch
(config mac access-list my-list)# exit Bind an access-list to a port:switch
(config)#interface
ethernet1
/1
switch
(configinterface
ethernet1
/1
)# mac access-list my-list
To mirror traffic to the monitor session as part of the ACL “permit” rule"
Create access-list action profile:
Create an action access-list profile using the command “access-list action ”.
Add a rule to mirror traffic to monitor session using the command “monitor session” within the action profile configuration mode.
Create an access-list and bind the action rule:
Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.
Add access list rule using the command “deny/permit” (“action ”).
Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group
Create an action profile and add monitor mapping action:
switch
(config)# access-list action my-actionswitch
(config access-list action my-action)# monitor session1
switch
(config access-list action my-action)# exit Create an access list and bind rules:switch
(config)# mac access-list my-listswitch
(config mac access-list my-list)# permit any any vlan10
action my-actionswitch
(config mac access-list my-list)# exit Bind an access-list to a port:switch
(config)#interface
ethernet1
/1
switch
(configinterface
ethernet1
/1
)# mac access-list my-listswitch
(configinterface
ethernet1
/1
)# exit
A strong insight into the system is given by ACL logging. ACLs can log packets that pass through the switch, so the flows can later be analyzed.
A packet that hits an ACL with a log clause is passed to the logger. The logger writes the partial header of the packet (L2 or L3) to the syslog, with a timestamp and some additional information such as ingress interface and the VLAN to which the packet belongs.
To protect the system memory, a limited number of flows are collected for each time interval. If the number of flows for a specific time interval is exceeded, then no packets are logged for this time interval.
To further protect the system, a rate-limiter controls the number of packets passed to the CPU.
Only packets traversing the switch are logged. Packets that are passed to the CPU are not.
The following table summarizes the ACL capabilities supported by NVIDIA Onyx.
ACL Table |
Policy |
Protocol |
Keys |
Actions |
Supported Interfaces (Ingress Bind Point Only) |
MAC |
Permit Deny Remark |
N/A |
DST MAC (with mask) SRC MAC (with mask) Protocol CoS VLAN-ID VLAN-group |
VLAN map VLAN pop VLAN push Counter per rule Shared counter to rules Log Policer Mirroring |
L2 port LAG MLAG RIF VLAN interface |
IPv4 |
Permit Deny Remark |
IP |
DST IP (incl. subnets) SRC IP (incl. subnets) |
VLAN map VLAN pop VLAN push Counter per rule Shared counter to rules Log Policer Mirroring |
L2 port LAG MLAG RIF VLAN interface |
TCP |
DST IP (incl. subnets) SRC IP (incl. subnets) L4 DST port (incl. range) L4 SRC port (incl. range) TCP flags Establish flow |
||||
UDP |
DST IP (incl. subnets) SRC IP (incl. subnets) L4 DST port (incl. range) L4 SRC port (incl. range) |
||||
TCP-UDP |
DST IP (incl. subnets) SRC IP (incl. subnets) L4 DST port (incl. range) L4 SRC port (incl. range) |
||||
ICMP |
DST IP (incl. subnets) SRC IP (incl. subnets) Code Type |
||||
IPv6 |
Permit Deny Remark |
IPv6 |
DST IPv6 (incl. subnets) SRC IPv6 (incl. subnets) |
VLAN map VLAN pop VLAN push Counter per rule Shared counter to rules Log Policer Mirroring |
L2 port LAG MLAG RIF VLAN interface |
TCP |
DST IPv6 (incl. subnets) SRC IPv6 (incl. subnets) L4 DST port (incl. range) L4 SRC port (incl. range) TCP flags Establish flow |
||||
UDP |
DST IPv6 (incl. subnets) SRC IPv6 (incl. subnets) L4 DST port (incl. range) L4 SRC port (incl. range) |
||||
TCP-UDP |
DST IPv6 (incl. subnets) SRC IPv6 (incl. subnets) L4 DST port (incl. range) L4 SRC port (incl. range) |
||||
ICMPv6 |
DST IPv6 (incl. subnets) SRC IPv6 (incl. subnets) Code Type |
||||
MAC-UDK |
Permit Deny Remark |
N/A |
DST MAC (with mask) SRC MAC (with mask) Protocol CoS VLAN-ID VLAN-group UDK1 (up to 4 bytes) UDK2 (up to 4 bytes) UDK3 (up to 4 bytes) UDK4 (up to 4 bytes) |
VLAN map VLAN pop VLAN push Counter per rule Shared counter to rules Log Policer Mirroring |
L2 port LAG MLAG RIF VLAN interface |
IPv4-UDK |
Permit Deny Remark |
IP |
DST IP (incl. subnets) SRC IP (incl. subnets) UDK1 (up to 4 bytes) UDK2 (up to 4 bytes) UDK3 (up to 4 bytes) UDK4 (up to 4 bytes) |
VLAN map VLAN pop VLAN push Counter per rule Shared counter to rules Log Policer Mirroring |
L2 port LAG MLAG RIF VLAN interface |
TCP |
DST IP (incl. subnets) SRC IP (incl. subnets) L4 DST port (incl. range) L4 SRC port (incl. range) TCP flags Establish flow UDK1 (up to 4 bytes) UDK2 (up to 4 bytes) UDK3 (up to 4 bytes) UDK4 (up to 4 bytes) |
||||
UDP |
DST IP (incl. subnets) SRC IP (incl. subnets) L4 DST port (incl. range) L4 SRC port (incl. range) UDK1 (up to 4 bytes) UDK2 (up to 4 bytes) UDK3 (up to 4 bytes) UDK4 (up to 4 bytes) |
||||
TCP-UDP |
DST IP (incl. subnets) SRC IP (incl. subnets) L4 DST port (incl. range) L4 SRC port (incl. range) UDK1 (up to 4 bytes) UDK2 (up to 4 bytes) UDK3 (up to 4 bytes) UDK4 (up to 4 bytes) |
||||
ICMP |
DST IP (incl. subnets) SRC IP (incl. subnets) Code Type UDK1 (up to 4 bytes) UDK2 (up to 4 bytes) UDK3 (up to 4 bytes) UDK4 (up to 4 bytes) |
*The maximum number of rules that can be configured per ACL type depends on the system resources utilized by the existing configuration. In order to reach the maximum number of rules, as defined in the table above, disable IP routing.
For more information about this feature and its potential applications, please refer to the following community post: