Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The ACL API

Table of Contents
minLevel4

ACL Overview

The Access Control List (ACL) filters packets passed from the AppNexus core our core switch into your VLAN.  An ACL is made up of an ordered set of Access Control Entries (ACEs) that represent permit and deny statements applied to certain ports and incoming and destination IP addresses.  For example, the below ACE permits TCP traffic from any IP address to the IP address 1.1.1.1:

No Format

permit tcp any host 1.1.1.1

Here is an example of an ACL made up of several ACEs.  Note that the order of ACEs matters, because a core switch tests packets against ACEs one by one and stops checking after the first match.  If no conditions match, the switch denies the packet.

No Format

remark - allow HTTP from world to instance LAX1:210
permit tcp any host 68.67.169.12 eq 80
remark - allow 40000-41000 ports from VLAN LAX1:2071 (subnet of 256 IPs)
permit udp 64.208.138.0 0.0.0.255 any range 40000 41000
remark - allow SSH from world
permit tcp any any eq 22
remark - allow all traffic (all source and destination ports) from 1.2.3.4 to the whole VLAN
permit tcp 1.2.3.4 any

...

ACLs are set and modifed by customers using parameters in the manage-vlan CLI tool:

No Format
  manage-vlan get-acl --vlan-id vlan_id [--file path] [--username]
 manage-vlan set-acl --vlan-id vlan_id (--file path | -) [--force] [--username]
 manage-vlan append-acl --vlan-id vlan_id (--file path | -) [--username]
 manage-vlan validate-acl (--file path | -) [--username]

...

ACLs must be in a specific format to be read by the API.  We have chosen the Cisco format.

No Format

{permit | deny} protocol source [operator port] destination [operator port]

Example:

No Format

permit tcp any host 1.2.3.4
deny tcp any any

...

In addition to ACEs you can place remarks (comments) in ACLs.  The remarks are needed usually for documenting the the ACL to make it easier to understand. For example:

No Format

remark - allow SSH from world
permit tcp any any eq 22

Note that in case If you need to open SNMP to your instances/VLANs from beyond the AppNexus our network, it is not enough to open 161 port via manage-vlan, as we also need to open an ACL on our border routers as well. Please open a Support ticket, requesting this to happen.(warning) NOTE:

Note

The set-acl and append-acl commands will validate ACEs for syntactical correctness, but will not look at the overall ACL to see if it makes functional sense. Processing of ACLs stops when an ACE/rule is matched.