NVIDIA Onyx User Manual v3.10.4302 (LTS)
NVIDIA MLNX-GW User Manual for NVIDIA Skyway Appliance v8.2.2200

Access Control List (ACL)

An Access Control List (ACL) is a list of permissions attached to an object, to filter or match switches packets. When the pattern is matched at the hardware lookup engine, a specified action (e.g. permit/deny) is applied. The rule fields represent flow characteristics such as source and destination addresses, protocol and VLAN ID.

ACL support currently allows actions of permit or deny rules, with or without mirroring, and supports only ingress direction. ACL search pattern can be taken from either L2 or L3 fields, e.g L2/L3 source and destination addresses, protocol, VLAN ID and priority or TCP port.

ACL is configured by the user and is applied to a port once the ACL search engine matches search criteria with a received packet.

To configure ACL:

  1. Create a MAC / IPv4 ACL (access-list) entity. Run:

    Copy
    Copied!
                

    switch (config) mac access-list mac-acl switch (config mac access-list mac-acl) #

  2. Add a MAC / IP rules to the appropriate access-list. Run:

    Copy
    Copied!
                

    switch (config mac access-list mac-acl) # seq-number 10 deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80

  3. Bind the created access-list to an interface (port or LAG). Run:

    Copy
    Copied!
                

    switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # mac port access-group mac-acl

An ACL action is a set of actions can be activated in case the packet hits the ACL rule.

To modify the VLAN tag of the egress traffic as part of the ACL “permit” rule:

  1. Create access-list action profile:

    1. Create an action access-list profile using the command “access-list action <action-profile-name>”.

    2. Add rule to map a VLAN using the command “vlan-map <vlan-id>” within the action profile configuration mode.

    3. Add action on a rule to strip the VLAN from a packet using the command “vlan-pop” within the action profile configuration mode.

    4. Add action on a rule to append a VLAN to a packet using the command “vlan-push” within the action profile configuration mode.

  2. Create an access-list and bind the action rule:

    1. Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.

    2. Add access list rule using the command “deny/permit” (“action <action profile name>”).

  3. Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group”.

    Copy
    Copied!
                

    Create an action profile and add vlan mapping action: switch (config)# access-list action my-action switch (config access-list action my-action)# vlan-map 20 switch (config access-list action my-action)# exit   Create an access list and bind rules: switch (config)# mac access-list my-list switch (config mac access-list my-list)# permit any any action my-action switch (config mac access-list my-list)# exit   Bind an access-list to a port: switch (config)# interface ethernet 1/1 switch (config interface ethernet 1/1)# mac access-list my-list

To mirror traffic to the monitor session as part of the ACL “permit” rule"

  1. Create access-list action profile:

    1. Create an action access-list profile using the command “access-list action ”.

    2. Add a rule to mirror traffic to monitor session using the command “monitor session” within the action profile configuration mode.

  2. Create an access-list and bind the action rule:

    1. Create an access-list profile using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} access-list”.

    2. Add access list rule using the command “deny/permit” (“action ”).

  3. Bind the access-list to an interface using the command “{ipv4/ipv4-udk/ipv6/mac/mac-udk} port access-group

    Copy
    Copied!
                

    Create an action profile and add monitor mapping action: switch (config)# access-list action my-action switch (config access-list action my-action)# monitor session 1 switch (config access-list action my-action)# exit   Create an access list and bind rules: switch (config)# mac access-list my-list switch (config mac access-list my-list)# permit any any vlan 10 action my-action switch (config mac access-list my-list)# exit   Bind an access-list to a port: switch (config)# interface ethernet 1/1 switch (config interface ethernet 1/1)# mac access-list my-list switch (config interface ethernet 1/1)# exit

A strong insight into the system is given by ACL logging. ACLs can log packets that pass through the switch, so the flows can later be analyzed.

A packet that hits an ACL with a log clause is passed to the logger. The logger writes the partial header of the packet (L2 or L3) to the syslog, with a timestamp and some additional information such as ingress interface and the VLAN to which the packet belongs.

To protect the system memory, a limited number of flows are collected for each time interval. If the number of flows for a specific time interval is exceeded, then no packets are logged for this time interval.

To further protect the system, a rate-limiter controls the number of packets passed to the CPU.

Warning

Only packets traversing the switch are logged. Packets that are passed to the CPU are not.

The following table summarizes the ACL capabilities supported by NVIDIA Onyx.

ACL Table

Policy

Protocol

Keys

Actions

Supported Interfaces (Ingress Bind Point Only)

MAC

Permit

Deny

Remark

N/A

DST MAC (with mask)

SRC MAC (with mask)

Protocol

CoS

VLAN-ID

VLAN-group

VLAN map

VLAN pop

VLAN push

Counter per rule

Shared counter to rules

Log

Policer

Mirroring

L2 port

LAG

MLAG

RIF

VLAN interface

IPv4

Permit

Deny

Remark

IP

DST IP (incl. subnets)

SRC IP (incl. subnets)

VLAN map

VLAN pop

VLAN push

Counter per rule

Shared counter to rules

Log

Policer

Mirroring

L2 port

LAG

MLAG

RIF

VLAN interface

TCP

DST IP (incl. subnets)

SRC IP (incl. subnets)

L4 DST port (incl. range)

L4 SRC port (incl. range)

TCP flags

Establish flow

UDP

DST IP (incl. subnets)

SRC IP (incl. subnets)

L4 DST port (incl. range)

L4 SRC port (incl. range)

TCP-UDP

DST IP (incl. subnets)

SRC IP (incl. subnets)

L4 DST port (incl. range)

L4 SRC port (incl. range)

ICMP

DST IP (incl. subnets)

SRC IP (incl. subnets)

Code

Type

IPv6

Permit

Deny

Remark

IPv6

DST IPv6 (incl. subnets)

SRC IPv6 (incl. subnets)

VLAN map

VLAN pop

VLAN push

Counter per rule

Shared counter to rules

Log

Policer

Mirroring

L2 port

LAG

MLAG

RIF

VLAN interface

TCP

DST IPv6 (incl. subnets)

SRC IPv6 (incl. subnets)

L4 DST port (incl. range)

L4 SRC port (incl. range)

TCP flags

Establish flow

UDP

DST IPv6 (incl. subnets)

SRC IPv6 (incl. subnets)

L4 DST port (incl. range)

L4 SRC port (incl. range)

TCP-UDP

DST IPv6 (incl. subnets)

SRC IPv6 (incl. subnets)

L4 DST port (incl. range)

L4 SRC port (incl. range)

ICMPv6

DST IPv6 (incl. subnets)

SRC IPv6 (incl. subnets)

Code

Type

MAC-UDK

Permit

Deny

Remark

N/A

DST MAC (with mask)

SRC MAC (with mask)

Protocol

CoS

VLAN-ID

VLAN-group

UDK1 (up to 4 bytes)

UDK2 (up to 4 bytes)

UDK3 (up to 4 bytes)

UDK4 (up to 4 bytes)

VLAN map

VLAN pop

VLAN push

Counter per rule

Shared counter to rules

Log

Policer

Mirroring

L2 port

LAG

MLAG

RIF

VLAN interface

IPv4-UDK

Permit

Deny

Remark

IP

DST IP (incl. subnets)

SRC IP (incl. subnets)

UDK1 (up to 4 bytes)

UDK2 (up to 4 bytes)

UDK3 (up to 4 bytes)

UDK4 (up to 4 bytes)

VLAN map

VLAN pop

VLAN push

Counter per rule

Shared counter to rules

Log

Policer

Mirroring

L2 port

LAG

MLAG

RIF

VLAN interface

TCP

DST IP (incl. subnets)

SRC IP (incl. subnets)

L4 DST port (incl. range)

L4 SRC port (incl. range)

TCP flags

Establish flow

UDK1 (up to 4 bytes)

UDK2 (up to 4 bytes)

UDK3 (up to 4 bytes)

UDK4 (up to 4 bytes)

UDP

DST IP (incl. subnets)

SRC IP (incl. subnets)

L4 DST port (incl. range)

L4 SRC port (incl. range)

UDK1 (up to 4 bytes)

UDK2 (up to 4 bytes)

UDK3 (up to 4 bytes)

UDK4 (up to 4 bytes)

TCP-UDP

DST IP (incl. subnets)

SRC IP (incl. subnets)

L4 DST port (incl. range)

L4 SRC port (incl. range)

UDK1 (up to 4 bytes)

UDK2 (up to 4 bytes)

UDK3 (up to 4 bytes)

UDK4 (up to 4 bytes)

ICMP

DST IP (incl. subnets)

SRC IP (incl. subnets)

Code

Type

UDK1 (up to 4 bytes)

UDK2 (up to 4 bytes)

UDK3 (up to 4 bytes)

UDK4 (up to 4 bytes)

Warning

*The maximum number of rules that can be configured per ACL type depends on the system resources utilized by the existing configuration. In order to reach the maximum number of rules, as defined in the table above, disable IP routing.

For more information about this feature and its potential applications, please refer to the following community post:

© Copyright 2023, NVIDIA. Last updated on Nov 15, 2023.