Saturday, March 10, 2018

Extreme Switch - How to create Dynamic ACLs in EXOS


There are two ways to create ACL in EXOS.

The policy-based ACL is common and easy to modify the list. Please refer to the following post on how to create a policy-based ACL.

Extreme Switch - How to create an ACL in EXOS

In this post, I will show you how to create Dynamic ACLs.


Dynamic ACLs are created using the CLI. They use similar syntax and can accomplish the same actions as single rule entries used in ACL policy files. More than one dynamic ACL can be applied to an interface, and the precedence among the dynamic ACLs is determined as they are being configured.

Dynamic ACLs have higher precedence than ACLs applied using a policy file.

There are two steps to using a dynamic ACL on an interface:

Step 1. Create the dynamic ACL rule.

Syntax example:
create access-list icmp-echo "protocol icmp;icmp-type echo-request" "deny"

1-1. Example of denying ICMP request
create access-list icmp-echo "protocol icmp;icmp-type echo-request" "deny"


Step 2. Configure the ACL rule on the interface or VLAN.


exos_switch # configure access-list add icmp-echo first ports 1 egress
 done!

exos_switch # configure access-list add icmp-echo first vlan marketing egress
 done!

Step 3. Check the ACL status.


exos_switch # show access-list dynamic
Dynamic Rules: ((*)- Rule is non-permanent )

(*)hclag_arp_0_4_96_9b_b3_17       Bound to 0 interfaces for application HealthCheckLAG
   icmp-echo                       Bound to 1 interfaces for application Cli


Step 4. Remove the ACL.


exos_switch # configure access-list delete icmp-echo all
 done!


▶ Creating the Dynamic ACL Rule


Creating a dynamic ACL rule is similar to creating an ACL policy file rule entry. You will specify the name of the dynamic ACL rule, the match conditions, and the actions and action-modifiers. The match conditions, actions, and action-modifiers are the same as those that are available for ACL policy files.

In contrast to the ACL policy file entries, dynamic ACLs are created directly in the CLI. Here is a syntax to create a dynamic ACL:

create access-list <dynamic-rule> <conditions> <actions>

As an example of creating a dynamic ACL rule, let's compare an ACL policy file entry with the CLI command that creates the equivalent dynamic ACL rule. The following ACL policy file entry will drop all ICMP echo-requests:
entry icmp-echo {
 if {
  protocol icmp;
  icmp-type echo-request;
 } then {
  deny;
  }
}


To create the equivalent dynamic ACL rule, use the following command:
create access-list icmp-echo "protocol icmp;icmp-type echo-request" "deny"


▶ Configuring the ACL Rule on the Interface


Once a dynamic ACL rule has been created, it can be applied to a port, VLAN, or to the wildcard interface. When the ACL is applied, you will specify the precedence of the rule among the dynamic ACL rules. Use the following command to configure the dynamic ACL rule on an interface:

configure access-list add <dynamic_rule> [after <rule> | before <rule> | first | last][any | ports <portlist> | vlan <vlanname>] {ingress | egress}

To remove a dynamic ACL from an interface, use the following command:
configure access-list delete <ruleName> [all | any | ports <portlist> | vlan <vlanname>] {ingress | egress}


▶ ACL Evaluation Precedence


This section discusses the precedence for evaluation among ACL rules.

Precedence of Dynamic ACLs
Dynamic ACLs have higher precedence than any ACLs applied using policy files. The precedence among any dynamic ACLs is determined as they are configured.

Precedence within an ACL
An ACL is a policy file that contains one or more rules. In EXOS, each rule can be one of the following types:
  • L2 rule—a rule containing only Layer 2 (L2) matching conditions, such as Ethernet MAC address and Ethernet type.
  • L3 rule—a rule containing only Layer 3 (L3) matching conditions, such as source or destination IP address and protocol.
  • L4 rule—a rule containing both Layer 3 (L3) and Layer 4 (L4) matching conditions, such as TCP/UDP port number.

Precedence among interface types
As an example of precedence among interface types, suppose a physical port 1:2 is a member port of a VLAN yellow. The ACL evaluation is performed in the following sequence:
  • If the ACL is configured on port 1:2, the port-based ACL is evaluated and the evaluation process terminates.
  • If the ACL is configured on the VLAN yellow, the VLAN-based ACL is evaluated, and the evaluation process terminates.
  • If the wildcard ACL is configured, the wildcard ACL is evaluated, and the evaluation process terminates.

In summary, the port-based ACL has the highest precedence, followed by the VLAN-based ACL, and then the wildcard ACL.


No comments: