Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

The ACL API

Access Control List (ACL) allows to filter traffic passed from switch into VLAN depending 
on permit and deny conditions that apply to packets. So, ACL can help limit network traffic 
and restrict network use by some subnets or hosts.

An ACL is ordered set of Access Control Entries (ACEs) that are represent permit and deny 
statements. For example,

permit tcp any host 10.1.1.2
deny tcp any any

Please note: the switch tests packets against the conditions from ACEs one by one. So, the 
order of ACEs is critical because the switch stops checking after the first match. If no 
conditions match, the switch denies the packet.

Currently, ACL API supports the following ACE pattern:

{permit | deny} protocol source [operator port] destination [operator port]

At protocol place you can see name of one of six enabled protocols: ip, tcp, udp, gre, esp, 
ahp.

Both source and destination may be specified in one of three ways:
1. The whole subnet: network address and network mask (cisco notation must be used) 
separated by space symbol, e.g. '171.69.198.0 0.0.0.255'.
2. A single host: keyword 'host' and ip address, e.g. 'host 10.1.1.1'.
3. The keyword 'any' for 0.0.0.0 255.255.255.255 (any host).

An operator and numeric port specify source and/or destination port when ACE protocol is 
set to tcp or udp. The following operators may be presented in ports definitions: eq (equal), 
gt (greater than), lt (less than), and range (requires two ports numbers and represents 
inclusive range).

In addition to ACEs you can place remarks (comments) in ACLs. The remarks are needed 
usually for easier understanding the ACL.

Here are some examples of ACEs:

remark - allow HTTP from world to instance LAX1:210
permit tcp any host 10.1.1.1 eq 80
remark - allow 40000-41000 ports from VALN LAX1:2071
permit udp 8.10.74.224 0.0.0.31 any range 40000 41000
remark - allow SSH from world
permit tcp any any eq 22

The following commands were added to the manage-vlan command:

* The "get-acl" command shows VLAN ACL. By default, the ACL is printed on display. You 
can change this behavior by means of specifying the --file optional parameter. In this case 
the ACL is placed in the corresponding file.

Usage examples:

manage-vlan get-acl --vlan-id NYM1:2071
manage-vlan get-acl --vlan-id NYM1:2071 --file nym1-vlan2071.acl

* The "validate-acl" command validates syntax and semantics of passed ACE(s). You can 
specify one of two allowed sources where ACE(s) should be read from: --file (ACEs to 
validate are placed in the corresponding file) or a lone dash (ACEs should be read from 
standard input).

Usage examples:

manage-vlan validate-acl --file nym1-vlan2071.aces
cat nym1-vlan2071.aces | manage-vlan validate-acl -

* The "set-acl/append-acl" commands allow to make changes in VLAN ACL. Please note: 
these commands are forbidden until ACL API is tested and stabilized enough. Detailed 
descriptions of these commands will be provided in one of next notifications (when ACL 
API will be ready for public usage).

ACL Syntax and Validation

ACLs must be in a specific format to be read by the API. We have chosen the Cisco format.

{permit | deny} protocol source [operator port] destination [operator port]

For example:

permit tcp any host 10.1.1.2
deny tcp any any
  • Possible protocol values: ip, tcp, udp, gre, esp, ahp
  • Source and destination may be specified in one of three ways:

1. The whole subnet: network address and network mask (cisco notation must be used) separated by space symbol. E.g. "171.69.198.0 0.0.0.255".
2. A single host. E.g. "host 10.1.1.1".
3. Any host, from 0.0.0.0 to 255.255.255.255. Use "any".

An operator and numeric port specify source and/or destination port when ACE protocol is set to tcp or udp. The following operators may be presented in ports definitions: eq (equal), gt (greater than), lt (less than), and range (requires two ports numbers and represents inclusive range).

In addition to ACEs you can place remarks (comments) in ACLs. The remarks are needed usually for easier understanding the ACL. (question) how?

  • No labels