ACL Configuration Guide

introduction introduction communication between information points and internal and external networks are essential business requirements in enterprise network in order to ensure the security of the intranet, security policy is needed to ensure that unauthorized users can only access specific network resources acl (access control list) is packet processing policy consisting of a series of rules, which are generally judgment statements describing the matching conditions of packets, such as the source mac, destination mac, source ip, destination ip, source port number, destination port number, etc the switch filters packets based on these rules after configuring acl rules, the switch will allow certain packets to pass and block certain packets to achieve the purpose of access control and traffic filtering in short, acl as a network technology means to control access, improve the security of the network environment and the reliability of network transmission basic concepts basic concepts acl table acl table acl table is port specific binding ports means that the acl table is valid for traffic on those ports a single acl table can bind multiple ports, and multiple acl tables can exist on a single port, i e a "many to many" relationship acl table naming rule acl table naming rule the acl tables’ name is supposed to be different acl table type acl table type acl table type affects the match fields of the acl, in other words, determines which characteristics are used to match traffic acl table type is available as l2, l3, l3v6, mirror, mirrorv6, flow control in particular, flow control is used as a special acl table type in combination with the traffic behavior module for the speed limiting of specific flows acl table direction acl table direction the acl table stage indicates the direction, optionally ingress and egress, which corresponds to whether the acl table is applied to the ingress or egress direction respectively if stage is not specified, the default is ingress currently, the same acl table does not support matching in both the ingress and egress directions for the cx family, the matches available in different directions are different the acl match fields in the ingress direction are not available in the egress direction, and there are fewer types of match fields for egress than for ingress see docid\ qi bda9yfylodx8 2smwz for a detailed description of the match fields acl rule acl rule acl rule is table specific rule that defines the priority of the rule, the matching conditions and the action to be taken if the match is successful an acl rule can only be added to one table, but a table can have multiple rules, i e the rule and the table are in a "many to one" relationship the match field of an acl rule must match the match field of the table in which it is located, and cannot exceed the match field defined by the table acl rule naming rule acl rule naming rule the acl rules’ name is supposed to be different acl rule priority acl rule priority priority indicates the priority of rule, the higher the value, the higher the priority, and is specified to be less than 500 priority is used to match the highest priority rule when there are multiple rules to match the same table does not allow rules of the same priority to be configured acl rule action acl rule action ingress table 1 acl rule ingress action table 1 acl rule ingress action action key words description basic actions packet action optional permit|deny|drop|trap to cpu|copy to cpu, permit means forward; deny means the packet is not forwarded but can be normally trapped; drop means the packet is neither forwarded nor trapped; trap to cpu means the packet is only sent to the cpu without forwarding; copy means the packet is sent to the cpu and also forwarded modify dscp set dscp modify the packet dscp value, range 0 63 modify pcp set pcp modify the packet pcp value, range 0 7 modify tc set tc modify the tc value, range 0 7, generally used in conjunction with forcing modification of the packet dscp ingress redirection redirect action redirect, which support redirecting to an interface or to the next hop, are available in the following forms interface name, e g "ethernet10" lag name, e g "portchannel0005" the global ip of the next hop, e g "10 0 0 1" the ip and vrf of the next hop, e g "10 0 0 2\@vnet2" the ip and interface name of the next hop, e g "10 0 0 3\@ethernet1" next hop group, e g "10 0 0 1,10 0 0 3\@ethernet1" traffic behavior traffic behavior acls and traffic behavior are used to limit the speed of specific traffic on a port egress table 2 acl rule egress action table 2 acl rule egress action action key words description basic actions packet action optional permit|deny, forward means forward, permit means forward; deny means the packet is not forwarded modify dscp set dscp modify the packet dscp value, range 0 63 modify pcp set pcp modify the packet pcp value, range 0 7 acl rule match fields acl rule match fields the supported match fields for different types of acl tables vary, and the specific match fields for each type of acl table are described below l2 match fields note l2 acl is only supported on cx308p 48y n v2 and cx532p n v2 table 3 l2 keywords table 3 l2 keywords key words description of parameters notes vlan pri 3 bit vlan priority value, range 0 7 ethernet type 16 bit ethernet type value, hex<0 ffff>, for example 0800 supported only in the ingress direction outer vlan vlan id value, supports mask vlan id(1 4094)/mask(0x01 0x0fff) or vlan id(1 4094) source mac source mac, supports mask hh\ hh\ hh\ hh\ hh\ hh or hh\ hh\ hh\ hh\ hh\ hh/mask(hh\ hh\ hh\ hh\ hh\ hh) supported only in the ingress direction destination mac destination mac, supports mask hh\ hh\ hh\ hh\ hh\ hh or hh\ hh\ hh\ hh\ hh\ hh/mask(hh\ hh\ hh\ hh\ hh\ hh) supported only in the ingress direction l3 match fields table 4 l3 keywords table 4 l3 keywords key words description of parameters notes ethernet type 16 bit ethernet type value, hex<0 ffff>, for example 0800 supported only in the ingress direction outer vlan vlan id value, supports mask vlan id(1 4094)/mask(0x01 0x0fff) or vlan id(1 4094) ip type ip packtet type, optional any|ip|non ip|ipv4any|non ipv4|ipv6any|non ipv6|arp|arp request|arp reply not supported on cx308p 48y n v2 and cx532p n v2; supported on other device models ip protocol 8 bit ip protocol value, range 0 255 tcp flags tcp flag value, range 0 63 source ip source ipv4 address (can with prefix), e g "10 1 1 1/24" destination ip destination ipv4 address (can with prefix), e g "10 1 1 1/24" icmp type 8 bit icmp type value, range 0 16 icmp code 8 bit icmp code value, range 0 5 source port source port，range 0 65535 destination port destination port，range 0 65535 dscp value of dscp, range 0 63 ip precedence ip precedence value, range 0 7 ecn the value of ecn, in the range 0 3 vlan pri vlan priority, range0 7 vxlan vni vxlan vni, range 1 16777215 supported only in the ingress direction l3v6 match fields table 5 l3v6 keywords table 5 l3v6 keywords key words description of parameters notes ip protocol 8 bit ip protocol value, range 0 255 supported only in the ingress direction source ipv6 source ipv6 address (can with prefix), e g "2001 1/128" destination ipv6 destination ipv6 address (can with prefix), e g "2001 1/96" icmpv6 type 8 bit icmpv6 type value, range 1 137 supported only in the ingress direction icmpv6 code 8 bit icmpv6 code value, range 0 4 supported only in the ingress direction source port source port，range 0 65535 supported on cx308p 48y n v2 and cx532p n v2; not supported on other device models destination port destination port，range 0 65535 supported on cx308p 48y n v2 and cx532p n v2; not supported on other device models mirror match fields table 6 mirror keywords table 6 mirror keywords key words description of parameters notes in ports ingress traffic interface; multiple interfaces separated by commas supported only in the ingress direction outer vlan vlan id value, supports mask vlan id(1 4094)/mask(0x01 0x0fff) or vlan id(1 4094) ip type ip packtet type, optional any|ip|non ip|ipv4any|non ipv4|ipv6any|non ipv6|arp|arp request|arp reply tcp flags tcp flag value, range 0 63 source ip ip address range with prefix, e g "1 1 1 1/32" destination ip ip address range with prefix, e g "1 1 1 0/24" icmp type 8 bit icmp type value, range 0 16 icmp code 8 bit icmp code value, range 0 5 source port source port，range 0 65535 destination port destination port，range 0 65535 dscp value of dscp, range 0 63 ip precedence ip precedence value, range 0 7 bth opcode value of bth opcode, range 0 255 not supported on cx308p 48y n v2 and cx532p n v2; supported on other device models aeth syndrome aeth syndrome value, supports mask, aeth syndrome(0 255)/mask(0x01 0xff) or aeth syndrome(0 255) not supported on cx308p 48y n v2 and cx532p n v2; supported on other device models mirrorv6 match fields table 7 mirrorv6 keywords table 7 mirrorv6 keywords key words description of parameters notes source ipv6 source ipv6 address (can with prefix), e g "2001 1/128" destination ipv6 destination ipv6 address (can with prefix), e g "2001 1/96" bth opcode value of bth opcode, range 0 255 not supported on cx308p 48y n v2 and cx532p n v2; supported on other device models aeth syndrome eth syndrome value, supports mask, aeth syndrome(0 255)/mask(0x01 0xff) or aeth syndrome(0 255) not supported on cx308p 48y n v2 and cx532p n v2; supported on other device models flow control match fields table 8 flow control keywords table 8 flow control keywords key words description of parameters notes in ports list of bound interfaces, multiple interfaces separated by commas supported only in the ingress direction out ports list of bound interfaces, multiple interfaces separated by commas supported only in the egress direction source mac source mac, supports mask hh\ hh\ hh\ hh\ hh\ hh or hh\ hh\ hh\ hh\ hh\ hh/mask(hh\ hh\ hh\ hh\ hh\ hh) supported only in the ingress direction destination mac destination mac, supports mask hh\ hh\ hh\ hh\ hh\ hh or hh\ hh\ hh\ hh\ hh\ hh/mask(hh\ hh\ hh\ hh\ hh\ hh) supported only in the ingress direction outer vlan vlan id value, supports mask vlan id(1 4094)/mask(0x01 0x0fff) or vlan id(1 4094) supported only in the ingress direction ip protocol 8 bit ip protocol value, range 0 255 source ip source ipv4 address (can with prefix), e g "10 1 1 1/24" destination ip destination ipv4 address (can with prefix), e g "10 1 1 1/24" source port source port，range 0 65535 destination port destination port，range 0 65535 vxlan vni vxlan vni, range 1 16777215 supported only in the ingress direction acl configuration acl configuration configure l2 acl table configure l2 acl table note l2 acl is only supported on cx308p 48y n v2 and cx532p n v2 table 9 configure l2 acl table table 9 configure l2 acl table purpose commands description enter global configuration view configure terminal create an acl table and enter the configuration view access list table name l2 { ingress | egress } apply the acl table to the interface bind interface { ethernet interface name | link aggregation lag id | all } all binds to all interfaces create an acl rule rule rule id \[rule options ] action options rule id also indicates the priority level, in the range 0 500 rule options see docid\ qi bda9yfylodx8 2smwz for details action options see docid\ qi bda9yfylodx8 2smwz for details configure l3 acl table configure l3 acl table table 10 configure l3 acl table table 10 configure l3 acl table purpose commands description enter global configuration view configure terminal create an acl table and enter the configuration view access list table name l3 { ingress | egress } apply the acl table to the interface bind interface { ethernet interface name | link aggregation lag id | all } all binds to all interfaces create an acl rule rule rule id \[rule options ] action options rule id also indicates the priority level, in the range 0 500 rule options see docid\ qi bda9yfylodx8 2smwz for details action options see docid\ qi bda9yfylodx8 2smwz for details configure l3v6 acl table configure l3v6 acl table table 11 configure l3v6 acl table table 11 configure l3v6 acl table purpose commands description enter global configuration view configure terminal create an acl table and enter the configuration view access list table name l3v6 { ingress | egress } apply the acl table to the interface bind interface { ethernet interface name | link aggregation lag id | all } all binds to all interfaces create an acl rule rule rule id \[rule options ] action options rule id also indicates the priority level, in the range 0 500 rule options see docid\ qi bda9yfylodx8 2smwz for details action options see docid\ qi bda9yfylodx8 2smwz for details configure acl redirection configure acl redirection acl redirection can be configured to a specified interface, next hop, or next hop group table 12 configure acl redirection table 12 configure acl redirection purpose commands description enter global configuration view configure terminal create an acl table and enter the configuration view access list table name { l3 | l3v6 } ingress apply the acl table to the interface bind interface { ethernet interface name | link aggregation lag id | all } all binds to all interfaces create an acl rule rule rule id \[rule options ] action options rule id also indicates the priority level, in the range 0 500 rule options see docid\ qi bda9yfylodx8 2smwz for details action options see docid\ qi bda9yfylodx8 2smwz for details configure acl redirection next hop group configure acl redirection next hop group acl redirection can be configured to a specified interface, next hop, or next hop group table 13 configure acl redirection next hop group table 13 configure acl redirection next hop group purpose commands description enter global configuration view configure terminal create an acl redirection next hop group access list nexthop group group number group number the range is 1 12 add next hop ip address { a b c d | a b } multiple next hops can be configured; the next hops must be reachable commit commit exit exit create an acl table and enter the configuration view access list table name { l3 | l3v6 } ingress apply the acl table to the interface bind interface { ethernet interface name | link aggregation lag id | all } all binds to all interfaces create an acl rule rule rule id \[ rule options ] redirect action nexthop group group number rule id also indicates the priority level, in the range 0 500 rule options see docid\ qi bda9yfylodx8 2smwz for details configure acl based complex traffic behavior configure acl based complex traffic behavior please refer to configure acl based complex traffic behavior in docid 1ai9lr9pg ajax0zgqojr for details configure user defined acl configure user defined acl table 14 configure user defined acl type table 14 configure user defined acl type purpose commands description enter global configuration view configure terminal create a user defined acl type access list user defined type { ipv4 | ipv6 | non ip } type name type name the name of user defined acl type configure the type of bound interface bind points { port | switch } port \ indicates that the port must be specified in the acl table switch \ indicates that it is applied to the entire device configure match options matches match options 500 rule options see for details configure action actions action options action options see acl rule action for details use user defined acl type to configure the acl table table 15 configure acl table table 15 configure acl table purpose commands description enter global configuration view configure terminal create an acl table and enter the configuration view access list table name u ser define type type name { ingress | egress } (optional) apply the acl table to the interface bind interface { ethernet interface name | link aggregation lag id | all } all binds to all interfaces this command is available only when the bind ports field in the user defined type is set to "port" create an acl rule rule rule id \[ rule options ] action options rule id also indicates the priority level, in the range 0 500 rule options see docid\ qi bda9yfylodx8 2smwz for details action options see docid\ qi bda9yfylodx8 2smwz for details configure control plane acl configure control plane acl table 16 configure acl table table 16 configure acl table purpose commands description enter global configuration view configure terminal create an acl table and enter the configuration view access list table name ctrlplane { ssh | snmp | telnet | ntp | bgp } (optional) apply the acl table to the interface bind interface { ethernet interface name | link aggregation lag id | all } all binds to all interfaces create an acl rule rule { default drop \[ interface all ]}| rule id { source ip | source ipv6 } packet action { deny | accept } default drop means drop all packets rule id indicates the rule index, in the range 0 500 configure packet remarking configure packet remarking please refer to configure packet remarking in docid\ jcb6dzamlwg9udtghwbbb for details display and maintenance display and maintenance table 17 acl display and maintenance table 17 acl display and maintenance purpose commands description show acl rules show acl rule \[ table name ] \[ rule id ] table, rule can be specified show acl tables show acl table \[ table name ] table can be specified show acl matches show counters acl \[ acl table name ] \[ rule id ] show hit count, you can specify table, rule clear acl match count clear counters acl clear hit count typical configuration example typical configuration example l3 ipv4 acl configuration example l3 ipv4 acl configuration example networking requirements a company interconnects its departments via the switch the server stores confidential technical information about the company and also backs it up to the cloud to ensure information security, it is required that acl rules are correctly configured to achieve prohibit department a from accessing resources on the server or in the cloud department b is prohibited from accessing the server resources directly, but can access the information by accessing the cloud topology procedure \#configure the ip of each port of the switch sonic# configure terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 192 168 4 1/24 sonic(config if 0/0)# ex sonic# configure terminal sonic(config)# interface ethernet 0/1 sonic(config if 0/1)# ip address 192 168 5 1/24 sonic(config if 0/1)# ex sonic# configure terminal sonic(config)# interface ethernet 0/48 sonic(config if 0/48)# ip address 192 168 10 1/24 sonic(config if 0/48)# ex sonic# configure terminal sonic(config)# interface ethernet 0/52 sonic(config if 0/52)# ip address 192 168 10 2/24 sonic(config if 0/52)# ex \#configure acl rules ethernet0 ingress direction packets with destination ip 192 168 20 2 received are discarded sonic# configure terminal sonic(config)# access list table a l3 ingress sonic(config l3 acl table a)# bind interface ethernet 0/0 sonic(config l3 acl table a)# rule 100 destination ip 192 168 20 2 packet action deny sonic(config l3 acl table a)# ex \#ethernet1 ingress direction received packet with destination ip 192 168 20 2 redirected to ethernet48 sonic# configure terminal sonic(config)# access list table b l3 ingress sonic(config l3 acl table b)# bind interface ethernet 0/1 sonic(config l3 acl table b)# rule 200 destination ip 192 168 20 2 redirect action 192 168 10 2 sonic(config l3 acl table b)# ex verify the configuration verify that the acl rule is configured successfully sonic# show acl table name type binding description stage \ table b l3 0/1 table b ingress table a l3 0/0 table a ingress sonic# show acl rule table rule priority action match \ table b rule 200 200 drop dst ip 192 168 20 2 table a rule 100 100 drop dst ip 192 168 20 2 table a rule 101 101 drop dst ip 192 168 10 2 a pc pinging the server from department a does not work, and when pinging the server from a pc in department b the packets go to ethernet48