Saturday, March 3, 2018

Extreme Switch - How to create an ACL in EXOS?


Creating an ACL in EXOS is very useful when you troubleshoot traffic forwarding issues, or you need to block a source IP address which is generating massive DoS-type flooding traffic. Here are the steps to create an ACL and some examples.


1. Type vi .pol to create the policy file
Switch # vi block_ip.pol

In the Vi editor, type press the i key to enter insert mode.

* Here is a link if you want to know more about vi editor.
How do I edit a file in vi editor?

2. Create the entries in the policy file in the editor. Example syntax is below.

Syntax example:
entry acl_entry{
    if {
        
    } then {
        
    }
}

2-1. Example of Blocking IP address
entry block_acl {
if {
source-address 10.10.10.10/32;
} then {
deny;
count block;
}
}


3. Exit insert mode by pressing the Esc key.

4. Save and exit by typing :wq

5. Check the policy file you have created.
Switch # check policy block_ip.pol
Policy file check successful.

You should be able to check the created file using 'ls' command as below.
Switch # ls
-rw-r--r-- 1 admin admin 79 Apr 24 16:34 block_ip.pol
-rw-r--r-- 1 root root 517276 Feb 15 2018 config_02152018.cfg
drw-r--r-- 2 root root 1024 Sep 14 2016 dhcp
drw-r--r-- 2 root root 1024 Sep 14 2016 lost+found
-rw-r--r-- 1 admin admin 26752 May 11 2018 nms.xsf
-rw-rw-rw- 1 root root 795761 May 11 21:34 primary.cfg
drw-r--r-- 4 root root 1024 Feb 22 2018 ssl
drwxr-xr-x 2 root root 1024 Mar 16 14:19 vmt

1K-blocks Used Available Use%
177480 2897 174583 2%


6. Apply the ACL to an interface with the command configure access-list (Don't include .pol in the policy name) [port|vlan] [ingress|egress]

Switch # configure access-list block_ip ports 1-63 ingress
 done!

* Note that not all platforms support egress ACLs. Details can be found in the following article:
What EXOS platforms support egress ACLs?

7. Check the ACL status.
Switch # show access-list
Vlan Name    Port   Policy Name          Dir      Rules  Dyn Rules
===================================================================
*            1      block_ip             ingress  1      0
*            2      block_ip             ingress  1      0
*            3      block_ip             ingress  1      0
...snipped...
*            62     block_ip             ingress  1      0
*            63     block_ip             ingress  1      0
*            69                               ingress  0      1


8. You can use unconfigure command if you want to remove the ACL from the interface.
Switch # unconfigure access-list block_ip
 done!


* Additional Notes

To achieve packet counter for a condition, use "count ;" as an action modifier

For example, the entry below will match all traffic with a source IP of 192.168.31.122 and a destination IP of 192.168.32.41. Every packet that hits this ACL will increment the counter :

entry one {
    if match all { 
        source-address 192.168.31.122/32 ;
        destination-address 192.168.32.41/32 ;
    } then {
        count test ;
        permit ;
    }
}

To check the ACL counters use command : show access-list counter {ingress | egress}

* X450G2-48p-10G4.5 # show access-list counter ingress
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
test              *                1      ingress
    test                           7

Example)
Switch # show access-list counter
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
block_ip          *                1      ingress
    block                          0
block_ip          *                2      ingress
    block                          0
block_ip          *                3      ingress
    block                          0
block_ip          *                4      ingress
    block                          0
block_ip          *                5      ingress
    block                          0
block_ip          *                6      ingress
    block                          0
block_ip          *                7      ingress
    block                          0
block_ip          *                8      ingress
    block                          53587354
block_ip          *                9      ingress
    block                          53586236
block_ip          *                10     ingress
    block                          0
block_ip          *                11     ingress
    block                          0
...snipped...



No comments: