The ACL API
The Access Control List (ACL) filters packets passed from the AppNexus core switch into your VLAN. An ACL is made up of an ordered set of Access Control Entries (ACEs) that represent permit and deny statements applied to certain ports and incoming and destination IP addresses. For example, the below ACE permits TCP traffic from any IP address to the IP address 18.104.22.168.
Here is an example of an ACL made up of several ACEs. Note that the order of ACEs matters, because a core switch tests packets against ACEs one by one and stops checking after the first match. If no conditions match, the switch denies the packet.
Formerly, ACLs were set and modified though the AppNexus support team. Now you can set and modify them yourself with new parameters in the
manage-vlan CLI tool.
manage-vlan get-acl. This command shows VLAN ACL. By default, the ACL is printed on display. You can change this behavior by means of specifying the --file optional parameter. In this case the ACL is placed in the corresponding file.
manage-vlan validate-acl. This command validates syntax and semantics of passed ACE(s). You can specify one of two allowed sources where ACE(s) should be read from: --file (ACEs to
validate are placed in the corresponding file) or a lone dash (ACEs should be read from standard input).
manage-vlan set-acl. This command sets the VLAN ACL completely. If user attempts to clear VLAN ACL, they will be prompted to enter "-force" as a pre
manage-vlan append-acl. This command appends one or more new ACEs to the end of the current VLAN ACL.
ACL Syntax and Validation
ACLs must be in a specific format to be read by the API. We have chosen the Cisco format.
- Possible protocol values: ip, tcp, udp, gre, esp, ahp
- Source and destination may be specified in one of three ways:
1. The whole subnet: network address and network mask (cisco notation must be used) separated by space symbol. E.g. "22.214.171.124 0.0.0.255".
2. A single host. E.g. "host 10.1.1.1".
3. Any host, from 0.0.0.0 to 255.255.255.255. Use "any".
An operator and numeric port specify source and/or destination port when ACE protocol is set to tcp or udp. The following operators may be presented in ports definitions: eq (equal), gt (greater than), lt (less than), and range (requires two ports numbers and represents inclusive range).
In addition to ACEs you can place remarks (comments) in ACLs. The remarks are needed usually for easier understanding the ACL. how?