Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »

The ACL API

ACL Overview

The Access Control List (ACL) filters packets passed from the AppNexus core switch into your VLAN. An ACL is made up of an ordered set of Access Control Entries (ACEs) that represent permit and deny statements applied to certain ports and incoming and destination IP addresses. For example, the below ACE permits TCP traffic from any IP address to the IP address 1.1.1.1.

permit tcp any host 1.1.1.1

Here is an example of an ACL made up of several ACEs. Note that the order of ACEs matters, because a core switch tests packets against ACEs one by one and stops checking after the first match. If no conditions match, the switch denies the packet.

remark - allow HTTP from world to instance LAX1:210
permit tcp any host 10.1.1.1 eq 80
remark - allow 40000-41000 ports from VALN LAX1:2071
permit udp 8.10.74.224 0.0.0.31 any range 40000 41000
remark - allow SSH from world
permit tcp any any eq 22

Manage-vlan Tool

Formerly, ACLs were set and modified though the AppNexus support team. Now you can set and modify them yourself with new parameters in the manage-vlan CLI tool.

 manage-vlan get-acl --vlan-id vlan_id [--file path]
 manage-vlan set-acl --vlan-id vlan_id (--file path | -) [--force]
 manage-vlan append-acl --vlan-id vlan_id (--file path | -)
 manage-vlan validate-acl (--file path | -)

ACEs can be read either from a --file or via standard input.

  • manage-vlan get-acl. This command lists the current ACL for your VLAN. If you specify the --file optional parameter, you can output the ACL is in the corresponding file.

       Examples:
      manage-vlan get-acl --vlan-id NYM1:2071
      manage-vlan get-acl --vlan-id NYM1:2071 --file nym1-vlan2071.acl

  • manage-vlan set-acl. This command replaces the current ACL with a new one. If you attempt to erase the ACL completely, you will be prompted to enter "--force" as a pre-
    caution.
  • manage-vlan append-acl. This command appends one or more new ACEs to the end of the current VLAN ACL.
  • manage-vlan validate-acl. This command validates the syntax and semantics of ACEs without applying them to your VLAN

       Examples:
      manage-vlan validate-acl --file /path/to/file/acl.example
      cat /path/to/file/acl.example | manage-vlan validate-acl -

ACL Syntax and Validation

ACLs must be in a specific format to be read by the API. We have chosen the Cisco format.

{permit | deny} protocol source [operator port] destination [operator port]

Example:

permit tcp any host 10.1.1.2
deny tcp any any
  • Possible protocol values: ip, tcp, udp, gre, esp, ahp
  • Source and destination may be specified in one of three ways:

                   1. A subnet: network address and network mask (cisco notation must be used) separated by a space. E.g. "171.69.198.0 0.0.0.255" Instructions on subnet notation is available here.
                   2. A single host. E.g. "host 10.1.1.1"
                   3. Any host, from 0.0.0.0 to 255.255.255.255. Use "any"

An operator and port combination specify the source or destination port when the ACE protocol is set to tcp or udp. Operators include: eq (equal), gt (greater than), lt (less than), and range (requires two ports numbers and represents inclusive range).

In addition to ACEs you can place remarks (comments) in ACLs. The remarks are needed usually for easier understanding the ACL. For example:

permit udp 8.10.74.224 0.0.0.31 any range 40000 41000
remark - allow SSH from world
  • No labels