There are two ways to create ACL in EXOS.
The policy-based ACL is common and easy to modify the list.
In this post, I will show you how to create Policy-based ACLs.
Please refer to the following post on how to create Dynamic ACLs.
1. Type vi
In the Vi editor, type press the i key to enter insert mode.
* Here is a link if you want to know more about vi editor.
How do I edit a file in vi editor?
Syntax example:
-rw-r--r-- 1 admin admin 79 Apr 24 16:34 block_ip.pol
-rw-r--r-- 1 root root 517276 Feb 15 2018 config_02152018.cfg
drw-r--r-- 2 root root 1024 Sep 14 2016 lost+found
-rw-rw-rw- 1 root root 795761 May 11 21:34 primary.cfg
1K-blocks Used Available Use%
177480 2897 174583 2%
To achieve packet counter for a condition, use "count; " as an action modifier
For example, the entry below will match all traffic with a source IP of 192.168.31.122 and a destination IP of 192.168.32.41. Every packet that hits this ACL will increment the counter :
To check the ACL counters use command: show access-list counter {ingress | egress}
- Step 1. Create a policy file.
1. Type vi .pol to create a policy file
exos_switch # vi block_ip.pol
In the Vi editor, type press the i key to enter insert mode.
* Here is a link if you want to know more about vi editor.
How do I edit a file in vi editor?
[Optional]
Or you may upload the .pol file to the switch via TFTP as below.
exos_switch.1 # download url tftp://134.141.115.254/block_ip.pol
Downloading tftp://134.141.115.254/block_ip.pol
exos_switch.1 # ls
-rw-rw-rw- 1 root root 165 Mar 24 15:32 block_ip.pol
drw-r--r-- 2 root root 1024 Feb 6 2020 cc_logs
drw-r--r-- 2 root root 1024 Mar 21 2018 lost+found
-rw-rw-rw- 1 admin admin 557413 Nov 10 21:12 primary.cfg
-rw-r--r-- 1 admin admin 1256763 Apr 22 2019 primary_slotted.cfg
drw-r--r-- 4 root root 1024 May 6 2019 ssl
drwxr-xr-x 2 root root 1024 Nov 10 20:27 vmt
※ To delete the created policy file, use the rm command as below.
rm block_ip.pol
2. Create the entries in the policy file in the editor.
Example syntax is below.
Syntax example:
entry acl_entry{ if { <MATCH_CONDITIONS>} then { <ACTION_MODIFIERS> } }
- ACL Policy Examples
2-1. Example of Blocking IP address
entry block_acl {
if {
source-address 10.10.10.10/32;
} then {
deny;
count block_acl_count;
}
}
2-2. Example of Allowing source and destination IP pair (match all)
entry AllowIP {
if match all {
source-address 192.168.100.1/32;
destination-address 10.10.10.10/32;
} then {
permit;
count AllowIP_count;
}
}
2-3. Example of Deny specific IP and Allow others (match all)
entry DenyIP {
if match all{
source-address 10.10.10.0/24;
destination-address 10.10.100.0/24;
} then {
count DenyIP_Count;
deny;
}
}
entry AllowOthers {
if match all{
source-address 10.10.10.0/24;
destination-address 0.0.0.0/0;
} then {
count AllowOthers_Count;
permit;
}
}
2-4. Example of Permit source and destination IP, protocol, source and destination ports.
entry udp_acl {
if {
source-address 192.168.100.0/24;
destination-address 10.10.10.10/32;
protocol udp;
source-port udp;
destination-port 1200 - 1250;
} then {
permit;
}
}
3. Exit insert mode by pressing the Esc key.
4. Save and exit by typing :wq
5. Check the policy file you have created.
exos_switch # check policy block_ip.pol
Policy file check successful.
You should be able to check the created file using 'ls' command as below.
Switch # ls-rw-r--r-- 1 admin admin 79 Apr 24 16:34 block_ip.pol
-rw-r--r-- 1 root root 517276 Feb 15 2018 config_02152018.cfg
drw-r--r-- 2 root root 1024 Sep 14 2016 lost+found
-rw-rw-rw- 1 root root 795761 May 11 21:34 primary.cfg
1K-blocks Used Available Use%
177480 2897 174583 2%
- Step 2. Apply the policy file.
6. Apply the ACL to an interface or VLAN with the command.
6-1. Apply the ACL to an interface
configure access-list [policyname] (Don't include .pol in the policy name) [port|vlan] [ingress|egress]
Switch # configure access-list block_ip ports 1-63 ingress
done!
6-2. Apply the ACL to a VLAN
configure access-list [policyname] vlan [vlanname] [ingress|egress]
Switch # configure access-list block_ip vlan vlan100 ingress
done!
* Note that not all platforms support egress ACLs. Details can be found in the following article:
What EXOS platforms support egress ACLs?
What EXOS platforms support egress ACLs?
- Step 3. Check the ACL status.
7. Use the following command to check the ACL status.
exos_switch # show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
* 1 block_ip ingress 1 0
* 2 block_ip ingress 1 0
* 3 block_ip ingress 1 0
...snipped...
* 62 block_ip ingress 1 0
* 63 block_ip ingress 1 0
* 69 ingress 0 1
- How to Unconfigure ACL or Delete a Policy file.
8. You can use unconfigure command if you want to remove the ACL from the interface.
exos_switch # unconfigure access-list block_ip
done!
9. You can delete the policy file after you configured it.
exos_switch # ls
-rw-r--r-- 1 admin admin 2 Oct 28 09:13 block_ip.pol
drwxrwxrwx 2 root root 1024 Jan 29 2019 cc_logs
drw-r--r-- 2 root root 1024 Nov 20 2017 lost+found
-rw-rw-rw- 1 admin admin 903935 Oct 20 08:37 primary.cfg
exos_switch # rm block_ip.pol
Remove block_ip.pol from /usr/local/cfg? (y/N) Yes
- Refreshing a Policy file.
When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a statement), the information in the policy database does not change until the policy is refreshed. The user must refresh the policy so that the latest copy of the policy is used.
When the policy is refreshed, the new policy file is read, processed, and stored in the server database. Any clients that use the policy are updated. To refresh the policy, use the following command:
refresh policy <policy name> (without .pol in the policy name)
Switch # refresh policy block_acl
Policy block_acl refresh done!
* NOTE: For ACL policies only, during the time that an ACL policy is refreshed, packets on the interface are blackholed, by default. This is to protect the switch during the short time that the policy is being applied to the hardware.
- Additional Notes (ACL counter)
To achieve packet counter for a condition, use "count
For example, the entry below will match all traffic with a source IP of 192.168.31.122 and a destination IP of 192.168.32.41. Every packet that hits this ACL will increment the counter :
entry one {
if match all {
source-address 192.168.31.122/32 ;
destination-address 192.168.32.41/32 ;
} then {
count test ;
permit ;
}
}
To check the ACL counters use command: show access-list counter {ingress | egress}
* exos_switch # show access-list counter ingress
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
one * 1 ingress
test 7
Example)
exos_switch # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
block_ip * 1 ingress
block 0
block_ip * 2 ingress
block 0
block_ip * 3 ingress
block 0
block_ip * 4 ingress
block 0
block_ip * 5 ingress
block 0
block_ip * 6 ingress
block 0
block_ip * 7 ingress
block 0
block_ip * 8 ingress
block 53587354
block_ip * 9 ingress
block 53586236
block_ip * 10 ingress
block 0
block_ip * 11 ingress
block 0
...snipped...
* Reference links:
No comments:
Post a Comment