Saturday, March 3, 2018

Extreme Switch - How to create an ACL in EXOS


    Creating an ACL in EXOS is very useful when you troubleshoot traffic forwarding issues, or you need to block a source IP address which is generating massive DoS-type flooding traffic. Here are the steps to create an ACL and some examples.

    There are two ways to create ACL in EXOS.


    The policy-based ACL is common and easy to modify the list. 

    In this post, I will show you how to create Policy-based ACLs.


    Please refer to the following post on how to create Dynamic ACLs.


    • Step 1. Create a policy file.


    1. Type vi .pol to create a policy file

    exos_switch # vi block_ip.pol

    In the Vi editor, type press the i key to enter insert mode.
    * Here is a link if you want to know more about vi editor.
    How do I edit a file in vi editor?

    [Optional]
    Or you may upload the .pol file to the switch via TFTP as below.

    exos_switch.1 # download url tftp://134.141.115.254/block_ip.pol
    Downloading tftp://134.141.115.254/block_ip.pol

    exos_switch.1 # ls
    -rw-rw-rw-    1 root     root           165 Mar 24 15:32 block_ip.pol
    drw-r--r--    2 root     root          1024 Feb  6  2020 cc_logs
    drw-r--r--    2 root     root          1024 Mar 21  2018 lost+found
    -rw-rw-rw-    1 admin    admin       557413 Nov 10 21:12 primary.cfg
    -rw-r--r--    1 admin    admin      1256763 Apr 22  2019 primary_slotted.cfg
    drw-r--r--    4 root     root          1024 May  6  2019 ssl
    drwxr-xr-x    2 root     root          1024 Nov 10 20:27 vmt

    ※ To delete the created policy file, use the rm command as below.
    rm block_ip.pol

    2. Create the entries in the policy file in the editor.

    Example syntax is below.

    Syntax example:
    entry acl_entry{
        if {
           <MATCH_CONDITIONS>
        } then {
           <ACTION_MODIFIERS>
        }
    }
    
    Details on match conditions, actions, and action modifiers can be found in the EXOS User Guide.


    • ACL Policy Examples


    2-1. Example of Blocking IP address
    entry block_acl {
    if {
    source-address 10.10.10.10/32;
    } then {
    deny;
    count block_acl_count;
    }
    }

    2-2. Example of Allowing source and destination IP pair (match all)
    entry AllowIP {
    if match all {
    source-address 192.168.100.1/32;
      destination-address 10.10.10.10/32;
    } then {
    permit;
    count AllowIP_count;
    }
    }

    2-3. Example of Deny specific IP and Allow others (match all)
    entry DenyIP {
    if match all{
     source-address 10.10.10.0/24;
     destination-address 10.10.100.0/24;
    } then {
    count DenyIP_Count;
    deny;
    }
    }
    entry AllowOthers {
    if match all{
     source-address 10.10.10.0/24;
     destination-address 0.0.0.0/0;
    } then {
    count AllowOthers_Count;
    permit;
    }
    }

    2-4. Example of Permit source and destination IP, protocol, source and destination ports.
    entry udp_acl {
    if {
    source-address 192.168.100.0/24;
    destination-address 10.10.10.10/32;
    protocol udp;
    source-port udp;
    destination-port 1200 - 1250;
    } then {
    permit;
    }
    }


    3. Exit insert mode by pressing the Esc key.


    4. Save and exit by typing :wq


    5. Check the policy file you have created.

    exos_switch # check policy block_ip.pol
    Policy file check successful.

    You should be able to check the created file using 'ls' command as below.
    Switch # ls
    -rw-r--r-- 1 admin admin 79 Apr 24 16:34 block_ip.pol
    -rw-r--r-- 1 root root 517276 Feb 15 2018 config_02152018.cfg
    drw-r--r-- 2 root root 1024 Sep 14 2016 lost+found
    -rw-rw-rw- 1 root root 795761 May 11 21:34 primary.cfg

    1K-blocks Used Available Use%
    177480 2897 174583 2%



    • Step 2. Apply the policy file.


    6. Apply the ACL to an interface or VLAN with the command.

    6-1. Apply the ACL to an interface
    configure access-list [policyname] (Don't include .pol in the policy name) [port|vlan] [ingress|egress]

    Switch # configure access-list block_ip ports 1-63 ingress
     done!


    6-2. Apply the ACL to a VLAN
    configure access-list [policyname] vlan [vlanname] [ingress|egress]

    Switch # configure access-list block_ip vlan vlan100 ingress
     done!


    * Note that not all platforms support egress ACLs. Details can be found in the following article:
    What EXOS platforms support egress ACLs?


    • Step 3. Check the ACL status.


    7. Use the following command to check the ACL status.

    exos_switch # show access-list
    Vlan Name    Port   Policy Name          Dir      Rules  Dyn Rules
    ===================================================================
    *            1      block_ip             ingress  1      0
    *            2      block_ip             ingress  1      0
    *            3      block_ip             ingress  1      0
    ...snipped...
    *            62     block_ip             ingress  1      0
    *            63     block_ip             ingress  1      0
    *            69                               ingress  0      1


    • How to Unconfigure ACL or Delete a Policy file.


    8. You can use unconfigure command if you want to remove the ACL from the interface.

    exos_switch # unconfigure access-list block_ip
     done!


    9. You can delete the policy file after you configured it.



    exos_switch # ls
    -rw-r--r-- 1 admin admin 2 Oct 28 09:13 block_ip.pol
    drwxrwxrwx 2 root root 1024 Jan 29 2019 cc_logs
    drw-r--r-- 2 root root 1024 Nov 20 2017 lost+found
    -rw-rw-rw- 1 admin admin 903935 Oct 20 08:37 primary.cfg

    exos_switch # rm block_ip.pol
    Remove block_ip.pol from /usr/local/cfg? (y/N) Yes



    • Refreshing a Policy file.


    When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a statement), the information in the policy database does not change until the policy is refreshed. The user must refresh the policy so that the latest copy of the policy is used.

    When the policy is refreshed, the new policy file is read, processed, and stored in the server database.  Any clients that use the policy are updated. To refresh the policy, use the following command:

    refresh policy <policy name> (without .pol in the policy name)

    Switch # refresh policy block_acl
     Policy block_acl refresh done!

    * NOTE: For ACL policies only, during the time that an ACL policy is refreshed, packets on the interface are blackholed, by default. This is to protect the switch during the short time that the policy is being applied to the hardware.


    • Additional Notes (ACL counter)


    To achieve packet counter for a condition, use "count ;" as an action modifier

    For example, the entry below will match all traffic with a source IP of 192.168.31.122 and a destination IP of 192.168.32.41. Every packet that hits this ACL will increment the counter :

    entry one {
        if match all { 
            source-address 192.168.31.122/32 ;
            destination-address 192.168.32.41/32 ;
        } then {
            count test ;
            permit ;
        }
    }

    To check the ACL counters use command: show access-list counter {ingress | egress}

    * exos_switch # show access-list counter ingress
    Policy Name       Vlan Name        Port   Direction
        Counter Name                   Packet Count         Byte Count
    ==================================================================
    one              *                1      ingress
        test                           7

    Example)
    exos_switch # show access-list counter
    Policy Name       Vlan Name        Port   Direction
        Counter Name                   Packet Count         Byte Count
    ==================================================================
    block_ip          *                1      ingress
        block                          0
    block_ip          *                2      ingress
        block                          0
    block_ip          *                3      ingress
        block                          0
    block_ip          *                4      ingress
        block                          0
    block_ip          *                5      ingress
        block                          0
    block_ip          *                6      ingress
        block                          0
    block_ip          *                7      ingress
        block                          0
    block_ip          *                8      ingress
        block                          53587354
    block_ip          *                9      ingress
        block                          53586236
    block_ip          *                10     ingress
        block                          0
    block_ip          *                11     ingress
        block                          0
    ...snipped...



    * Reference links:

    No comments: