Access Control Objects

This page contains descriptions of the Access Control related objects in the FlexSwitch object models.

This set of objects, part of the asicd model, are effective from version nnnnnn of FlexSwitch.

An Access Control List (AccessControlList object) is made up of several discrete attributes (name, description, etc.) and one or more AccessControlEntry objects. AccessControlEntry objects consist of several discrete attributes plus list (array) of AccessControlFilter objects. This relationship is shown in the illustration below.

ACL Object Relationships

Attention

Attributes without default values listed are required in API calls.

Configuration Objects

AddressGroup

config/AddressGroup

Attribute Data Type Description Permitted Values
Name [Key] string Address group name
Type string Type of address group SELECTION:IPv4/IPv6/MAC
DEFAULT:IPv4
AddressList string[] List of either ipv4Prefixes or ipv6Prefixes. All prefix strings must match this attribute's 'type'. Cannot mix different type of prefixes within one address group. DEFAULT: []

AccessControlFilter

config/AccessControlFilter

Attribute Data Type Description Permitted Values
Name [Key] string Acess Control filter name.
Description string Optional description of the filter. DEFAULT:""
Type string Type of the AccessControlFilter SELECTION:IPv4/IPv6/MAC
DEFAULT:IPv4
Ethertype uint16 Frame ethertype applicable for MAC type of AccessControlFilter only. When used with IPv4 or IPv6 accessControlEntry ethertype is defaulted to 0x0800 and 0x86dd respectively.
Protocol string IPv4 protocol field or ipv6 next-header field. Match on well known values or specify number between 0-255. SELECTION:0-255/ICMPv4/ICMPv6/
IGMP/TCP/UDP/GRE/
EIGRP/OSPF/PIM/L2TP
SrcPortStart uint16 TCP/UDP starting source port value. The default value start/end values are 0 to 65535 which match any port. DEFAULT:0
SrcPortEnd uint16 TCP/UDP ending source port value. The default value start/end values are 0 to 65535 which match any port. DEFAULT:65535
DstPortStart uint16 TCP/UDP starting destination port value. The default value start/end values are 0 to 65535 which match any port. DEFAULT:0
DstPortEnd uint16 TCP/UDP ending destination port value. The default value start/end values are 0 to 65535 which match any port. DEFAULT:65535
SrcNotEqual bool Negative matching option for use with TCP/UDP ports only. This option can only be set to true when SrcPortStart and SrcPortEnd are the same value DEFAULT:false
DstNotEqual bool Negative matching option for use with TCP/UDP ports only. This option can only be set to true when DstPortStart and DstPortEnd are the same value DEFAULT:false

AccessControlEntry

config/AccessControlEntry

Attribute Data Type Description Permitted Values
Name [Key] string Access Control entry name.
Description string Optional description of the AccessConrtolEnrtry DEFAULT:""
Type string Type of the AccessControlEntry SELECTION:IPv4/IPv6/MAC
Priority uint32 Priority dictates the order in which the AccessControlEntry is applied. Higher priorities will be applied before lower priorities DEFAULT:0
Action string Action can be allow; permit traffic matching the AccessControlEntry, deny; drop the traffic matching the AccessControlEntry, or CopyToCpu;permit traffic matching the AccessControlEntry and send a copy to the cpu. SELECTION: ALLOW/DENY/COPYTOCPU
CpuQueue uint32 CpuQueue to receive traffic when action is COPYToCPU DEFAULT:0
SrcGroupRef string Source AddressGroup object name representing list of IPv4, IPv6, or Mac prefixes. Type of AccessControlEntry must match Type of AddressGroup DEFAULT:""
DstGroupRef string Destination AddressGroup object name representing list of IPv4, IPv6, or Mac prefixes. Type of AccessControlEntry must match Type of AddressGroup DEFAULT:""
FilterRefList string[] List of AccessControlFilter object names to apply protocol and TCP/UDP port filtering DEFAULT:[]

AccessControlList

config/AccessControlList

Attribute Data Type Description Permitted Values
Name [Key] string Acess Control list name.
Description string Optional description of the AccessConrtolList
Type string Type of the AccessControlList SELECTION:IPv4/IPv6/MAC
EntryRefList string[] List of AccessControlEntry object names. The AccessControlEntry type must match the type attribute of this object. DEFAULT:[]
IntfRefList string List of Port, LAG, or Vlans to apply this AccessControlList DEFAULT:[]
Stage string Apply AccessControlList on IN (ingress) or OUT (egress) SELECTION:IN/OUT
DEFAULT:IN