Vous êtes sur la page 1sur 25

Access Control Lists (ACLs)

ENS 15.1: Advanced Switch Operation and Configuration.


Access Control Lists (ACLs)
• Student Objectives
• Describe ExtremeXOS packet filtering structure and components.
• Describe how to use policies and edit policy files.
• Know ACL matching conditions, syntax, and troubleshooting.
• Understand the differences between Static ACLs and Dynamic ACLs
• List the ACL rule evaluation process.

Slide 2
ACL Overview and Operation
Access Control Lists (ACLs)

ENS 15.1: Advanced Switch Operation and Configuration.


Access Control Lists (ACLs)
• Access Control Lists (ACLs) are used to perform packet
filtering and forwarding decisions on traffic traversing the
switch.
• ACLs can be applied to packets entering or exiting the switch.
• Packets are permitted (forwarded), denied (dropped) or metered (rate
limited).
• ACL rules can be associated with re-directs, mirroring, QoS,
counters and logging.
• ACLs apply to all traffic; both user traffic and control traffic.
• There are two types of ACL:
• Static ACLs which are created from a policy file separate from the
configuration file.
• Dynamic ACLs which are configured form the CLI and can be stored in
the configuration file.

Slide 4
ExtremeXOS ACL Definition
• An ACL is a rule which defines a specific action or actions on
a packet matching specific criteria.
• Each ACL is defined by a unique name.
• Each ACL contains a number of match conditions defined by an actual
or implied “if” statement.
• Each ACL contains a number of actions defined by an actual or implied
“then” statement.
• An ACL Policy is a collection of ACL rules which are
executed in the order defined in the policy.
• All the ACL rules contained in the policy file are created and applied to
the same set of ports.
• There can be a number of ACL policies applied to a switch’s hardware.
• These are referred to as static ACLs.
• Dynamic ACLs are a collection of ACLs rules which are
executed in the order defined in the configuration.
• ACL rules are created individually at the CLI and each rule can be
applied to a separate set of ports.
Slide 5
ACL Match Conditions
• A packet must match all conditions in order for an action to be taken.
• This is an implicit “if match all” condition qualifier and cannot be changed.
• For ingress ACLs, if no match conditions are specified, an implicit packet match occurs.
• For egress ALCs, if no match conditions are specified, no packets will match.
Match Condition Description Ingress/Egress
ethernet-type <number> Ethernet packet type. For example, ETHER-P-IP (0x0800 Ingress
ethernet-source-address <mac-addr.> Ethernet source MAC address and mask (optional). Ingress
ethernet-destination-address <mac-addr.> Ethernet destination MAC address and mask (optional). Ingress
source-address <prefix> IP source address and mask. Both
destination-address <prefix> IP destination address and mask. Both
protocol <number> IP protocol field. Numeric value or text synonyms; egp(8), gre(47), icmp(1), Both
igmp(2), ipip(4), Ipv6 over ipv4(41), ospf(89), pim(103), rsvp(46), st(5), tcp(6),
udp(17).
source-port {<number>|<range>} TCP or UDP source port. Both
destination-port {<number>|<range>} TCP or UDP destination port. Both
TCP-flags <bitfield> TCP flags. Numeric value or text synonyms; ACK(0x10), FIN(0x01), Both
PUSH(0x08), RST(0x04), SYN(0x02), URG(0x20), SYN_ACK(0x12).
IGMP-msg-type <number> IGMP message type. Numeric value or text synonyms: v1-report(0x12), Both
v2-report(0x16), v3-report(0x22), V2-leave (0x17), or query(0x11).
ICMP-type <number> ICMP type field. Numeric value or text synonyms: echo-reply(0), echo- Both
request(8), info-reply(16), info-request(15), mask-request(17), maskreply(18),
parameter-problem(12), redirect(5), routeradvertisement(9), router-solicit(10),
source-quench(4), timeexceeded(11), timestamp(13), timestamp-reply(14), or
unreachable(3)
IP-TOS <number> IP TOS field. Numeric value or text synonyms: minimize-delay 16 (0x10), Both
maximize-reliability 4(0x04), minimize-cost2 (0x02), and normal-service
0(0x00).

Slide 6
ACL Actions and Action Modifiers
• If a packet matches, then the rule’s action and action modifiers are
processed.
• The basic actions are permit or deny.
• If no action is specified, an implicit permit occurs.
• If no packet matches any rules in the policy, then the packet is permitted.
Match Condition Description Ingress/Egress
count <countername> Creates a counter associated with the ACL rule. The counter increments for each Both (egress
packet matching the rule. permit only)
byte-count <byte counter name> Creates a byte counter associated with the ACL rule. The counter increments for Ingress
each packet matching the rule
packet-count <packet counter name> Creates a packet counter associated with the ACL rule. The counter increments for Ingress
each packet matching the rule
log Logs the packet header. Both
log-raw Logs the packet header in hex format. Both
meter <metername> Forwards packets to a previously defined rate limit meter at a traffic rate defined by Both
the meter
mirror Sends a copy of the packet to the monitor (mirror) port Ingress
qosprotile <qosprofilename> Forwards the packet to the specified QoS profile Both*
redirect <ipv4 address> Forwards the packet to the specified IPv4 address Both
redirect-port <port> Overrides the forwarding decision and changes the egress port used. Both

replace-dscp Replaces the packet’s DSCP field with the value from the associated QoS profile Both*

replace-dot1p Replaces the packet’s 802.1p field with the value from the associated QoS profile Both*

*Not supported by egress ACLs on Summit “a” & “e” series switches and BD8K “a” series modules.

Slide 7
ACL Resources
Access Control Lists (ACLs)

ENS 15.1: Advanced Switch Operation and Configuration.


ACL Resources
• ExtremeXOS populates ACLs within a Ternary Content
Addressable Memory (TCAM) for wire-speed performance.
• ACLs are allocated automatically between a number of slices
within the TCAM.
• Each slice can contain a number of ACL rules.
• The maximum number of rules per slice is 128 , 256 or 512 depending on switch
type.
• Each packet processor supports 24 ports and a number of slices.
• The maximum number of slices is usually 8 or 16 depending on switch type.
• Some switches also support an additional 4 slices for egress rules.
• The total number of ACLs supported varies from switch to switch.
• Refer to the ExtremeXOS release notes for the maximum number of ACLs
supported by each specific switch.
• As an example:
• A SummitX460-48t switch has 16 slices for each packet processor supporting 256
ingress rules and 4 slices for each group of 24 ports supporting 128 egress rules.
• Ingress rules: (16 slices x 256 rules ) x 2 packet processors = 8192
• Egress rules: (4 slices x 128 rules ) x 2 packet processors = 1024
Slide 9
Viewing ACL Resource Usage
To view the ACL slice usage:
• show access-list usage
acl-slice port <port>
• The port option selects the appropriate
packet processor.
• The example show the relevant details
for a SummitX450a-24t.
To view the ACL rule usage:
• show access-list usage
acl-rules port <port>

Slide 10
ACL Processing – Matching Rules
• The ExtremeXOS Policy Manager process parses policy and
configuration files and programs the TCAMs in the following way:
• The first ACL rule in the policy file is processed and a slice is allocated based on
the match conditions.
• The next ACL rule is compared to see if the match conditions are compatible,
and if so, the rule is added to the same slice.
• This continues until the slice is full.
ip.pol Slice 0
entry iprule1 { DIP, SIP, IP-proto, L4 DP, L4 SP
if {
destination-address 192.168.0.0/16 ; Rules
protocol tcp ;
source-port 1000 ; 192.168.0.0/16; 1000; TCP
}
then { 10.10.10.0/24; 23; TCP
deny ;
}
}
entry iprule2 {
if {
source-address 10.10.10.0/24 ;
protocol tcp ;
destination-port 23 ;
}
then {
deny ;
}
}

Slide 11
ACL processing – Non-matching Rules
• If the ExtremeXOS Policy Manager discovers a non-matching rule while
parsing a policy or configuration file.
• The non matching ACL is allocated a new slice based on the different match
conditions.
• The next ACL rule is compared to see if the match conditions are compatible,
and if so, the rule is added to the same slice.
• This continues until the slice is full or if the next rule is incompatible.
ip.pol
mac.pol Slice 0 Slice 2
entry macrule1
iprule1 { { DIP, SIP, IP-proto, L4DP MACSA, Etype,
if {
destination-address 192.168.0.0/16 ;
ethernet-source-address Rules Rules
protocol tcp ;
00:01:02:03:04:05 ;
} source-port 1000 ; 192.168.0.0/16; 1000; TCP 00:01:02:03:04:05
}
then {
then deny
{ ; 10.10.10.0/24; 23; TCP 0x86dd
} deny ;
} }
}
entry macrule2 {
entry
if { iprule2 {
if { ethernet-type ether-p-ipv6;
} source-address 10.10.10.0/24 ;
then protocol
{ tcp ;
destination-port
deny ; 23 ;
}
} then {
deny ;
}
}

Slide 12
Viewing ACL Resource Usage
To view the ACL slice usage after the
IP and MAC policies have been
applied:
• show access-list usage
acl-slice port <port>
• The two IP policy rules use slice 14
which includes the 8 system rules.
• The two MAC policy rules use slice 15.
To view the updated ACL rule usage:
• show access-list usage
acl-rules port <port>

Slide 13
Configuring Static ACLs
Access Control Lists (ACLs)

ENS 15.1: Advanced Switch Operation and Configuration.


Static ACL Configuration Steps
• Check if there are enough ACL resources available.
• Create an ACL policy file.
• Use the ExtremeXOS built in editor or any other editor on a client
device.
• Save or copy the policy file to the switch’s flash using a file
extension of “.pol”.
• The “.pol” extension is automatically added when using the switches
edit command.
• Check the policy for any syntax errors.
• Apply the policy to port(s), VLAN(s) or “any” (wildcard).
• ACLs are immediately applied to the switch hardware.
• When applying ACLs, the interface precedence is port, VLAN then
wildcard.

Slide 15
ACL Configuration Overview
• An IP host is connected to a port that is a member of VLAN “data”.
• VLAN “data” will have a tag ID of 10.
• Ports 1 and 2 for the SummitX650 will be added as tagged ports.
• Ports 1:1 and 2:1 (LAG) for the BD8Ks will be added as tagged ports and an
IP address will be configured.
• The IP host will be denied Telnet access to the DB8K1 switch.

Data Center – Server Farm SummitX650-1


Top of Rack Switch
IP Host 1 2
IP=10.1.10.101/24
L2 blocked link

VLAN: data
802.1Q Tag: 10
Data Center - Core

1:1 1:1

BD8K1 BD8K2
IP=10.1.10.1/24 IP=10.1.10.2/24
2:1 2:1

Slide 16
Configuring a static ACL - BD8K1
Create the data VLAN and assign a
VLAN ID, ports and IP address.
To create a policy using the editor:
• edit policy <filename>
• Press “i” to enter insert mode and then
enter the desired commands.
• Once finished press the “esc” key then
“:wq” to save and quit.
To check the policy’s syntax:
• check policy <policy-name>
To apply a policy:
• configure access-list
<aclname> [any | ports
<portlist> | vlan <vlanname>]
{ingress | egress}
• If the ingress or egress options are not
specified, the ACLs will be applied on
ingress.

Slide 17
Verifying a static ACL - BD8K1
To verify the list of configured
policies:
• show policy
To verify a specific policy:
• show policy <policy-name>
To verify the list of configured ACLs:
• show access-list

Slide 18
Configuring Dynamic ACLs
Access Control Lists (ACLs)

ENS 15.1: Advanced Switch Operation and Configuration.


Dynamic ACL Configuration Steps
• Check if there are enough ACL resources available.
• Create a dynamic ACL rule.
• Dynamic rules can be “permanent” or “non-permanent”.
• “Permanent” rules are added to the running configuration which must be
saved to make them persist after a reboot.
• Non-permanent rules are created on-demand and are not added to the
running configuration. They do not persist after a reboot.
• Apply the dynamic ACL to port(s), VLAN(s) or “any”
(wildcard).

Slide 20
ACL Configuration Overview
• An IP host is connected to a port that is a member of VLAN “data”.
• VLAN “data” will have a tag ID of 10.
• Ports 1 and 2 for the SummitX650 will be added as tagged ports.
• Ports 1:1 and 2:1 (LAG) for the BD8Ks will be added as tagged ports and an
IP address will be configured.
• The IP host is currently denied Telnet access to the BD8K1 switch.
• A dynamic ACL will be applied to temporarily allow telnet access.

Data Center – Server Farm SummitX650-1


Top of Rack Switch
IP Host 1 2
IP=10.1.10.101/24
L2 blocked link

VLAN: data
802.1Q Tag: 10
Data Center - Core
Active ACL Policy=denyTelnet
entry no-telnet {
if match all {
destination-address 10.1.10.1/32 ; 1:1 1:1
source-address 10.1.10.101/32 ;
protocol tcp ;
BD8K1 BD8K2
destination-port 23 ; IP=10.1.10.1/24 IP=10.1.10.2/24
} 2:1 2:1
then {
deny ;
}
}

Slide 21
Configuring a dynamic ACL - BD8K1
To create a dynamic ACL:
• create access-list
<dynamic-rule> <conditions>
<actions>
• The default action is to create a
“permanent” dynamic ACL.
• Quotation marks are required when there
are spaces in any conditions or actions.
To apply a dynamic ACL:
• configure access-list add
<dynamic_rule> [order] [any |
vlan <vlanname> | ports
<portlist> ] {ingress |
egress}
• Order refers to the ordering of the dynamic
ACLs rules when applied to a port or
VLAN. Order is defined as:
• first, last, before <rule>,
after <rule>

Slide 22
Verifying a dynamic ACL - BD8K1
To verify the list of configured ACLs:
• show access-list
To verify the list of dynamic ACLs:
• show access-list dynamic
To verify the dynamic ACL rule:
• show access-list dynamic
rule <rule>
To verify the dynamic ACL rule’s
direction (ingress/egress):
• show access-list dynamic
rule <rule> detail

Slide 23
ACLs Summary
• You should now be able to:
• Describe ExtremeXOS packet filtering structure and components.
• Describe how to use policies and edit policy files.
• Know ACL matching conditions, syntax, and troubleshooting.
• Understand the differences between Static ACLs and Dynamic ACLs
• List the ACL rule evaluation process.

Slide 24
Lab 7 - ACLs
• This lab exercise tests your ability to configure ACLs.

Lab Group PC
Management
10.45.230.4X

Mgmt
10.45.230.10X

SwitchX 5

Slide 25