Saturday, March 3, 2018

Extreme Switch - How to create an ACL in EXOS


Creating an ACL in EXOS is very useful when you troubleshoot traffic forwarding issues, or you need to block a source IP address which is generating massive DoS-type flooding traffic. Here are the steps to create an ACL and some examples.

There are two ways to create ACL in EXOS.

The policy-based ACL is common and easy to modify the list. Please refer to the following post on how to create Dynamic ACLs.

Extreme Switch - How to create Dynamic ACLs in EXOS

In this post, I will show you how to create Policy-based ACLs.


1. Type vi .pol to create the policy file

exos_switch # vi block_ip.pol

In the Vi editor, type press the i key to enter insert mode.
* Here is a link if you want to know more about vi editor.
How do I edit a file in vi editor?

[Optional]
Or you may upload the .pol file to the switch via TFTP as below.

exos_switch.1 # download url tftp://134.141.115.254/block_ip.pol
Downloading tftp://134.141.115.254/block_ip.pol

exos_switch.1 # ls
-rw-rw-rw-    1 root     root           165 Mar 24 15:32 block_ip.pol
drw-r--r--    2 root     root          1024 Feb  6  2020 cc_logs
drw-r--r--    2 root     root          1024 Mar 21  2018 lost+found
-rw-rw-rw-    1 admin    admin       557413 Nov 10 21:12 primary.cfg
-rw-r--r--    1 admin    admin      1256763 Apr 22  2019 primary_slotted.cfg
drw-r--r--    4 root     root          1024 May  6  2019 ssl
drwxr-xr-x    2 root     root          1024 Nov 10 20:27 vmt


2. Create the entries in the policy file in the editor.

Example syntax is below.

Syntax example:
entry acl_entry{
    if {
       <MATCH_CONDITIONS>
    } then {
       <ACTION_MODIFIERS>
    }
}
Details on match conditions, actions, and action modifiers can be found in the EXOS User Guide.

2-1. Example of Blocking IP address
entry block_acl {
if {
source-address 10.10.10.10/32;
} then {
deny;
count block_acl_count;
}
}

2-2. Example of Allowing source and destination IP pair (match all)
entry AllowIP {
if match all {
source-address 192.168.100.1/32;
  destination-address 10.10.10.10/32;
} then {
permit;
count AllowIP_count;
}
}

2-3. Example of Deny specific IP and Allow others (match all)
entry DenyIP {
if match all{
 source-address 10.10.10.0/24;
 destination-address 10.10.100.0/24;
} then {
count DenyIP_Count;
deny;
}
}
entry AllowOthers {
if match all{
 source-address 10.10.10.0/24;
 destination-address 0.0.0.0/0;
} then {
count AllowOthers_Count;
permit;
}
}

3. Exit insert mode by pressing the Esc key.


4. Save and exit by typing :wq


5. Check the policy file you have created.

exos_switch # check policy block_ip.pol
Policy file check successful.

You should be able to check the created file using 'ls' command as below.
Switch # ls
-rw-r--r-- 1 admin admin 79 Apr 24 16:34 block_ip.pol
-rw-r--r-- 1 root root 517276 Feb 15 2018 config_02152018.cfg
drw-r--r-- 2 root root 1024 Sep 14 2016 lost+found
-rw-rw-rw- 1 root root 795761 May 11 21:34 primary.cfg

1K-blocks Used Available Use%
177480 2897 174583 2%


6. Apply the ACL to an interface or VLAN with the command.

6-1. Apply the ACL to an interface
configure access-list [policyname] (Don't include .pol in the policy name) [port|vlan] [ingress|egress]

Switch # configure access-list block_ip ports 1-63 ingress
 done!


6-2. Apply the ACL to a VLAN
configure access-list [policyname] vlan [vlanname] [ingress|egress]

Switch # configure access-list block_ip vlan vlan100 ingress
 done!


* Note that not all platforms support egress ACLs. Details can be found in the following article:
What EXOS platforms support egress ACLs?

7. Check the ACL status.

exos_switch # show access-list
Vlan Name    Port   Policy Name          Dir      Rules  Dyn Rules
===================================================================
*            1      block_ip             ingress  1      0
*            2      block_ip             ingress  1      0
*            3      block_ip             ingress  1      0
...snipped...
*            62     block_ip             ingress  1      0
*            63     block_ip             ingress  1      0
*            69                               ingress  0      1


8. You can use unconfigure command if you want to remove the ACL from the interface.

exos_switch # unconfigure access-list block_ip
 done!


▶ How to Delete a Policy file in EXOS.

exos_switch # ls
-rw-r--r-- 1 admin admin 2 Oct 28 09:13 block_ip.pol
drwxrwxrwx 2 root root 1024 Jan 29 2019 cc_logs
drw-r--r-- 2 root root 1024 Nov 20 2017 lost+found
-rw-rw-rw- 1 admin admin 903935 Oct 20 08:37 primary.cfg

exos_switch # rm block_ip.pol
Remove block_ip.pol from /usr/local/cfg? (y/N) Yes


* Additional Notes


To achieve packet counter for a condition, use "count ;" as an action modifier

For example, the entry below will match all traffic with a source IP of 192.168.31.122 and a destination IP of 192.168.32.41. Every packet that hits this ACL will increment the counter :

entry one {
    if match all { 
        source-address 192.168.31.122/32 ;
        destination-address 192.168.32.41/32 ;
    } then {
        count test ;
        permit ;
    }
}

To check the ACL counters use command : show access-list counter {ingress | egress}

* exos_switch # show access-list counter ingress
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
one              *                1      ingress
    test                           7

Example)
exos_switch # show access-list counter
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
block_ip          *                1      ingress
    block                          0
block_ip          *                2      ingress
    block                          0
block_ip          *                3      ingress
    block                          0
block_ip          *                4      ingress
    block                          0
block_ip          *                5      ingress
    block                          0
block_ip          *                6      ingress
    block                          0
block_ip          *                7      ingress
    block                          0
block_ip          *                8      ingress
    block                          53587354
block_ip          *                9      ingress
    block                          53586236
block_ip          *                10     ingress
    block                          0
block_ip          *                11     ingress
    block                          0
...snipped...



* Reference links:


No comments: