Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

The ACL API

The Access Control List (ACL) filters packets passed from the AppNexus core switch into your VLAN. An ACL is made up of an ordered set of Access Control Entries (ACEs) that represent permit and deny statements applied to certain ports and incoming and destination IP addresses. For example, the below ACE permits TCP traffic from any IP address to the IP address 1.1.1.1.

permit tcp any host 1.1.1.1

Here is an example of an ACL made up of several ACEs. Note that the order of ACEs matters, because a core switch tests packets against ACEs one by one and stops checking after the first match. If no conditions match, the switch denies the packet.

remark - allow HTTP from world to instance LAX1:210
permit tcp any host 10.1.1.1 eq 80
remark - allow 40000-41000 ports from VALN LAX1:2071
permit udp 8.10.74.224 0.0.0.31 any range 40000 41000
remark - allow SSH from world
permit tcp any any eq 22

Manage-vlan Tool

Formerly, ACLs were set and modified though the AppNexus support team. Now you can set and modify them yourself with new parameters in the manage-vlan CLI tool.

 manage-vlan get-acl --vlan-id vlan_id [--file path]
 manage-vlan set-acl --vlan-id vlan_id (--file path | -) [--force]
 manage-vlan append-acl --vlan-id vlan_id (--file path | -)
 manage-vlan validate-acl (--file path | -)
  • manage-vlan get-acl. This command shows VLAN ACL. By default, the ACL is printed on display. You can change this behavior by means of specifying the --file optional parameter. In this case the ACL is placed in the corresponding file.

Usage examples:

manage-vlan get-acl --vlan-id NYM1:2071
manage-vlan get-acl --vlan-id NYM1:2071 --file nym1-vlan2071.acl
  • manage-vlan validate-acl. This command validates syntax and semantics of passed ACE(s). You can specify one of two allowed sources where ACE(s) should be read from: --file (ACEs to
    validate are placed in the corresponding file) or a lone dash (ACEs should be read from standard input).

Usage examples:

manage-vlan validate-acl --file nym1-vlan2071.aces 
cat nym1-vlan2071.aces | manage-vlan validate-acl -
  • manage-vlan set-acl. This command sets the VLAN ACL completely. If user attempts to clear VLAN ACL, they will be prompted to enter "-force" as a pre
    caution.

Usage examples:

  • manage-vlan append-acl. This command appends one or more new ACEs to the end of the current VLAN ACL.

Usage examples:

ACL Syntax and Validation

ACLs must be in a specific format to be read by the API. We have chosen the Cisco format.

{permit | deny} protocol source [operator port] destination [operator port]

For example:

permit tcp any host 10.1.1.2
deny tcp any any
  • Possible protocol values: ip, tcp, udp, gre, esp, ahp
  • Source and destination may be specified in one of three ways:

1. The whole subnet: network address and network mask (cisco notation must be used) separated by space symbol. E.g. "171.69.198.0 0.0.0.255".
2. A single host. E.g. "host 10.1.1.1".
3. Any host, from 0.0.0.0 to 255.255.255.255. Use "any".

An operator and numeric port specify source and/or destination port when ACE protocol is set to tcp or udp. The following operators may be presented in ports definitions: eq (equal), gt (greater than), lt (less than), and range (requires two ports numbers and represents inclusive range).

In addition to ACEs you can place remarks (comments) in ACLs. The remarks are needed usually for easier understanding the ACL. (question) how?

  • No labels