Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 35 Next »


ACL Overview

The Access Control List (ACL) filters packets passed from the AppNexus core switch into your VLAN.  An ACL is made up of an ordered set of Access Control Entries (ACEs) that represent permit and deny statements applied to certain ports and incoming and destination IP addresses.  For example, the below ACE permits TCP traffic from any IP address to the IP address

permit tcp any host

Here is an example of an ACL made up of several ACEs.  Note that the order of ACEs matters, because a core switch tests packets against ACEs one by one and stops checking after the first match.  If no conditions match, the switch denies the packet.

remark - allow HTTP from world to instance LAX1:210
permit tcp any host eq 80
remark - allow 40000-41000 ports from VLAN LAX1:2071 (subnet of 256 IPs)
permit udp any range 40000 41000
remark - allow SSH from world
permit tcp any any eq 22
remark - allow all traffic (all source and destination ports) from to the whole VLAN
permit tcp any

Manage-vlan Tool

Formerly, ACLs were set and modified though the AppNexus support team.  Now you can set and modify them yourself with new parameters in the manage-vlan CLI tool:

 manage-vlan get-acl --vlan-id vlan_id [--file path]
 manage-vlan set-acl --vlan-id vlan_id (--file path | -) [--force]
 manage-vlan append-acl --vlan-id vlan_id (--file path | -)
 manage-vlan validate-acl (--file path | -)

ACEs can be read either from a --file or via standard input.

  • manage-vlan get-acl.  This command lists the current ACL for your VLAN.  If you specify the --file optional parameter, you can output the ACL is in the corresponding file.


  • manage-vlan get-acl --vlan-id NYM1:2071
  • manage-vlan get-acl --vlan-id NYM1:2071 --file nym1-vlan2071.acl
  • manage-vlan set-acl.  This command replaces the current ACL with a new one. If you attempt to erase the ACL completely, you will be prompted to enter "--force" as a precaution.
  • manage-vlan append-acl.  This command appends one or more new ACEs to the end of the current VLAN ACL.
  • manage-vlan validate-acl.  This command validates the syntax and semantics of ACEs without applying them to your VLAN


  • manage-vlan validate-acl --file /path/to/file/acl.example
  • cat /path/to/file/acl.example | manage-vlan validate-acl -

ACL Syntax and Validation

ACLs must be in a specific format to be read by the API.  We have chosen the Cisco format.

{permit | deny} protocol source [operator port] destination [operator port]


permit tcp any host
deny tcp any any
  • Possible protocol values: ip, tcp, udp, gre, esp, ahp
  • Source and destination may be specified in one of three ways:
    • A subnet: network address and network mask (note that cisco notation for "inverse masks" must be used) separated by a space.  E.g. ""
    • A single host.  E.g. "host"
    • Any host, from to  Use "any"

An operator and port combination specify the source or destination port when the ACE protocol is set to tcp or udp.  Operators include: eq (equal), gt (greater than), lt (less than), and range (requires two ports numbers and represents inclusive range).

In addition to ACEs you can place remarks (comments) in ACLs.  The remarks are needed usually for easier understanding the ACL.  For example:

remark - allow SSH from world
permit tcp any eq 22

(warning) Note that in case you need to open SNMP to your instances/VLANs it's not enough to open 161 port via manage-vlan, as we need to "make a hole" on our borders as well. Please, open a Support ticket, requesting the task.

  • No labels