netberg | Main

Access Control Lists – ACLs

This section describes the commands you use to configure IP Access Control List (ACL) settings. IP ACLs ensure that only authorized users have
access to specific resources and block any unwarranted attempts to reach network resources.

Example model & SONiC version:

Aurora 615/715
Netberg SONiC: sonic-202012-nb-inno-211121

You configure ACLs in SONiC using:

The SONiC ConfigDB, defined in /etc/sonic/config_db.json.
The SONiC CLI – with limited capabilities.

There is no direct CLI command to add or delete or modify the ACL table and ACL rule. Existing ACL tables and ACL rules can be updated by specifying the ACL
rules in json file formats and configure those files using this CLI command.

Different platforms have different supported ACL actions.

Configure ACL Tables Using ConfigDB

The following table contains the ConfigDB schema. The schema is defined according to ABNF RFC 5234 syntax; refer to RFC 5234 for more information about the schema definition.

Field	Value	Description
ACL_TABLE	name	The name must be unique within the ACL_TABLE table. The name is used to reference this table from other places in the SONiC configuration database.
POLICY_DESC	1*255VCHAR	The W of the ACL policy table description, user defined description for the table.
TYPE	1*255VCHAR	Type of ACL table, every type of table defines the match/action a specific set of match and actions. See the next table below for details on the type field.
PORTS	[0-INF]*port_name	The list of ports to which this ACL table is applied, this field can be empty.
STAGE	“INGRESS”/”EGRESS”	ACL table stage, either ingress or egress.
SERVICES	[0-INF]*service_name	List of services, valid only for TYPE=CTRLPLANE.

The TYPE field can be one of the following:

Type	Bind Port Types Supported	Match Fields Supported	Supported ACL Rule Actions
L3	PORT, LAG	ETHER_TYPE IP_TYPE IP_PROTOCOL SRC_IP DST_IP ICMP_TYPE ICMP_CODE L4_SRC_PORT L4_DST_PORT TCP_FLAGS L4_DST_PORT_RANGE L4_SRC_PORT_RANGE	PACKET_ACTION REDIRECT_ACTION DO_NOT_NAT_ACTION MIRROR_INGRESS_ACTION MIRROR_EGRESS_ACTION MIRROR_ACTION
L3V6	PORT,LAG	ETHER_TYPE IP_TYPE IP_PROTOCOL SRC_IPV6 DST_IPV6 ICMPV6_TYPE ICMPV6_CODE L4_SRC_PORT L4_DST_PORT TCP_FLAGS L4_DST_PORT_RANGE L4_SRC_PORT_RANGE	PACKET_ACTION REDIRECT_ACTION DO_NOT_NAT_ACTION
MIRROR	PORT,LAG	ETHER_TYPE IP_TYPE IP_PROTOCOL SRC_IP DST_IP ICMP_TYPE ICMP_CODE SRC_IPV6 () DST_IPV6 () ICMPV6_TYPE () ICMPV6_CODE () L4_SRC_PORT L4_DST_PORT TCP_FLAGS L4_DST_PORT_RANGE L4_SRC_PORT_RANGE	MIRROR_INGRESS_ACTION MIRROR_EGRESS_ACTION MIRROR_ACTION
MIRRORV6	PORT,LAG	IP_TYPE IP_PROTOCOL SRC_IP DST_IP ICMP_TYPE ICMP_CODE SRC_IPV6 () DST_IPV6 () ICMPV6_TYPE () ICMPV6_CODE () L4_SRC_PORT L4_DST_PORT TCP_FLAGS L4_DST_PORT_RANGE L4_SRC_PORT_RANGE	MIRROR_INGRESS_ACTION MIRROR_EGRESS_ACTION MIRROR_ACTION
MIRROR_DSCP	PORT,LAG	DSCP	MIRROR_INGRESS_ACTION MIRROR_EGRESS_ACTION MIRROR_ACTION
DTEL_FLOW_WATCHLIST	SWITCH	Please refer to https://github.com/Azure/SONiC/blob/master/doc/barefoot_dtel/Dtel-SONiC.md
DTEL_DROP_WATCHLIST	SWITCH	Please refer to https://github.com/Azure/SONiC/blob/master/doc/barefoot_dtel/Dtel-SONiC.md

Sample json “acl.json”:

"ACL_TABLE": {
            "ACL_TABLE:0d41db739a2cc107": {
                    "policy_desc" : "Permit some traffic, for the customer #4",
                    "type" : "L3"
                    "ports" : [
                        "port1",
                        "port2",
                        "port3"
                    ] # physical port names
            },
            "OP": "SET"
        },
        {
            "ACL_RULE_TABLE:0d41db739a2cc107:3f8a10ff": {
                    "priority" : "55",
                    "IP_PROTOCOL" : "TCP",
                "SRC_IP" : "20.0.0.0/25",
                "DST_IP" : "20.0.0.0/23",
                "L4_SRC_PORT_RANGE: "1024-65535",
                "L4_DST_PORT_RANGE: "80-89",
                    "PACKET_ACTION" : "FORWARD"
            },
            "OP": "SET"
        },

Apply it by:

admin@nba715:~$ sudo config load acl.json -y
admin@nba715:~$ sudo config save -y

Field	Value	Description
key	ACL_RULE_TABLE:table_name:rule_name	The key of the rule entry in the table, the sequence is the order of the rules when the packet is filtered by the ACL “policy_name”. A rule is always associated with a policy.
priority	1*3DIGIT	The rule priority. Valid values range are platform dependent. You can always check it in logs: admin@switch:~$ show log / grep ‘Get ACL entry priority values’ Apr 22 16:46:55.967195 switch NOTICE swss#orchagent: :- init: Get ACL entry priority values, min: 0, max: 16381
packet_action	“forward”/”drop”/”mirror”	An action when the fields are matched. Mirror action only available to mirror acl table type)
mirror_action	1*255VCHAR	Refer to the mirror session. By default this is an ingress mirror action.
mirror_ingress_action	1*255VCHAR	Refer to the mirror session.
mirror_egress_action	1*255VCHAR	Refer to the mirror session.
ether_type	h16	Ethernet type field.
ip_type	ip_types	Options for the l2_protocol_type field.
ip_protocol	h8	Options for the l3_protocol_type field.
src_ip	ipv4_prefix	Options for the source IPv4 address (and mask) field.
dst_ip	ipv4_prefix	Options for the destination IPv4 address (and mask) field.
src_ipv6	ipv6_prefix	Options for the source IPv6 address (and mask) field.
dst_ipv6	ipv6_prefix	Options for the destination IPv6 address (and mask) field.
l4_src_port	port_num	The source L4 port.
l4_dst_port	port_num	The destination L4 port.
l4_src_port_range	port_num_L-port_num_H	The source port range of the L4 ports field.
l4_dst_port_range	port_num_L-port_num_H	The destination port range of the L4 ports field.
tcp_flags	h8/h8	TCP flags field and mask.
dscp	h8	The DSCP field, which is only available for mirror table type.
icmp_type	h8/h8	The ICMP type and mask.
icmpv6_type	h8/h8	The ICMPv6 type and mask.
icmp_code	h8/h8	The ICMP code and mask.
icmpv6_code	h8/h8	The ICMPv6 code and mask.
in_ports	string	A comma-separated list of inbound ports to match.
out_ports	string	A comma-separated list of outbound ports to match value annotations.

value annotations
ip_types = any | ip | ipv4 | ipv4any | non_ipv4 | ipv6any | non_ipv6
port_num      = 1*5DIGIT   ; a number between 0 and 65535
port_num_L    = 1*5DIGIT   ; a number between 0 and 65535,
                           ; port_num_L < port_num_H
port_num_H    = 1*5DIGIT   ; a number between 0 and 65535,
                           ; port_num_L < port_num_H
ipv6_prefix   =                 6( h16 ":" ) ls32
   /                       "::" 5( h16 ":" ) ls32
   / [               h16 ] "::" 4( h16 ":" ) ls32
   / [ *1( h16 ":" ) h16 ] "::" 3( h16 ":" ) ls32
   / [ *2( h16 ":" ) h16 ] "::" 2( h16 ":" ) ls32
   / [ *3( h16 ":" ) h16 ] "::"    h16 ":"   ls32
   / [ *4( h16 ":" ) h16 ] "::"              ls32
   / [ *5( h16 ":" ) h16 ] "::"              h16
   / [ *6( h16 ":" ) h16 ] "::"
h8          = 1*2HEXDIG
h16         = 1*4HEXDIG
ls32        = ( h16 ":" h16 ) / IPv4address
ipv4_prefix = dec-octet "." dec-octet "." dec-octet "." dec-octet “/” %d1-32
dec-octet   = DIGIT                     ; 0-9
                / %x31-39 DIGIT         ; 10-99
                / "1" 2DIGIT            ; 100-199
                / "2" %x30-34 DIGIT     ; 200-249

SONiC CLI

config acl add table

This command is used to create new ACL tables.

Usage:


config acl add table [OPTIONS] <table_name> <table_type> [-d <description>] [-p <ports>] [-s (ingress | egress)]

Parameters:
    table_name: The name of the ACL table to create.
    table_type: The type of ACL table to create (e.g. "L3", "L3V6", "MIRROR")
    description: A description of the table for the user. (default is the table_name)
    ports: A comma-separated list of ports/interfaces to add to the table. The behavior is as follows:
        Physical ports will be bound as physical ports
        Portchannels will be bound as portchannels - passing a portchannel member is invalid
        VLANs will be expanded into their members (e.g. "Vlan1000" will become "Ethernet0,Ethernet2,Ethernet4...")
    stage: The stage this ACL table will be applied to, either ingress or egress. (default is ingress)

Examples:

admin@nba715:~$ sudo config acl add table EXAMPLE_1 L3 -p Ethernet4,Ethernet8 -s ingress
admin@nba715:~$ sudo config acl add table EXAMPLE_2 L3V6 -p Vlan1000,Ethernet124 -s egress
admin@nba715:~$ show acl table
Name       Type    Binding      Description    Stage
---------  ------  -----------  -------------  -------
EXAMPLE    L3      Ethernet4    EXAMPLE_1      ingress
                   Ethernet8
EXAMPLE_2  L3V6    Ethernet0    EXAMPLE_2      egress
                   Ethernet124

config acl update full

This command is to update the rules in all the tables or in one specific table in full. If a table_name is provided, the operation will
be restricted in the specified table. All existing rules in the specified table or all tables will be removed. New rules loaded from file will be installed.

might be replaced with acl-loader update full

admin@nba715:~$ sudo config acl update full --help
Usage: config acl update full [OPTIONS] FILE_NAME
Full update of ACL rules configuration.
admin@nba715:~$ sudo acl-loader update full --help
Usage: acl-loader update full [OPTIONS] FILENAME

Full update of ACL rules configuration. If a table_name is provided, the
operation will be restricted in the specified table.

Options:
  --table_name TEXT
  --session_name TEXT
  --mirror_stage [ingress|egress]
  --max_priority INTEGER
  --help                          Show this message and exit.

config acl update incremental

This command is used to perform incremental update of ACL rule table. This command gets existing rules from Config DB and compares with rules specified
in input file and performs corresponding modifications.

might be replaced with acl-loader update incremental

admin@nba715:~$ sudo config acl update incremental ?
Usage: acl-loader update incremental [OPTIONS] FILENAME
a1dmin@nba715:~$ sudo config acl update incremental --help
Usage: config acl update incremental [OPTIONS] FILE_NAME

Incremental update of ACL rule configuration.

Options:
  -?, -h, --help  Show this message and exit.

Control Plane ACL

There is no CLI command for that.

First, create a table for the control plane:

admin@nba715:~$sudo nano service_table.json
{
"ACL_TABLE": {
        "CTRL": {
            "policy_desc": "CTRLPLN ACL",
            "services": [
                    "SSH",
                    "SNMP"
                    "SCP"
            ],
            "type": "CTRLPLANE"
        }
    }
}
admin@nba715:~$ sudo config load service_table.json -y
admin@nba715:~$ show acl table
Name       Type       Binding      Description    Stage
---------  ---------  -----------  -------------  -------
CTRL       CTRLPLANE  SNMP         CTRLPLANE ACL  ingress

Second, create rules for it:

admin@nba715:~$sudo nano service_table.json
{
    "ACL_RULE": {
        "CTRL|ADM_ACCEPT": {
            "PACKET_ACTION": "ACCEPT",
            "PRIORITY": "1",
            "SRC_IP": "192.168.0.10/24"
        }
    }
}
admin@sonic:~$ sudo config load CTRL_ACE.json -y
Running command: /usr/local/bin/sonic-cfggen -j ctrl_rule.json --write-to-db
admin@nba715:~$ show acl rule
Table    Rule          Priority  Action    Match
-------  ----------  ----------  --------  -----------------------
CTRL     ADM_ACCEPT           1  ACCEPT    SRC_IP: 192.168.0.10/24

Access Control Lists – ACLs

Configure ACL Tables Using ConfigDB

SONiC CLI

config acl add table

config acl update full

config acl update incremental

Control Plane ACL

NEWS

Latest news

Official SONiC support for the Innovium Teralynx platforms.

Netberg introduces Innovium Teralynx-based platforms

Netberg Launches Custom Networking Solutions

Netberg adds Stratum to its Barefoot Tofino-based switches

Netberg Joins Telecom Infra Project (TIP)

Netberg Launches a New Academia and Research Program