Configuring Port ACLs

The ACL created in this example blocks a specific port (fpPort1), DENYing all traffic arriving at that port. Annother example, a Route ACL, demonstrates how to block traffic from a specific IP Address.

Port ACL Configuration Using the FlexSwitch CLI

This topic describes creating Port ACLs using the FlexSwitch CLI. For more information about the CLI, see Using the CLI.

Use Port ACLs to block traffic on a specific port. In this example we are blocking traffic on a physical port fpPort 1.

Port ACL

In our example we have two directly connected switches.

Direct Connected Switches

Creating an ACL Filter

In this step we create an aclipv4Filter. This object modifies L3 and L4 attributes. In this example do not make any adjustment to specfic L3 and L4 properties.

Note

Although we do not make any adjustments to specific L3 or L4 properties, the ACL object model still requires the existence of an ACL filter.

To create the aclipv4Filter object, use the FlexSwtich CLI commands as shown in the exmple below. For more information about the CLI, see Using the CLI.

flexswitch(config):aclipv4filter block_port1
flexswitch(config-aclIPv4Filter):apply

Applying Config:
id: 6   object: AclIpv4Filter   status: APPLIED CONFIG  valid: True delete: False num user cmds: 1
 command                      attr             value          model attr    iskey    required    userprov    time provisioned
--------------------------------------------------------------------------------------------------------------------------------------
 aclipv4filter block_port1    aclipv4filter    block_port1    FilterName    True     X           X           Wed Nov 23 13:16:53 2033

The next step is to attach the acl filter to the acl!

Attach the ACL Filter to an ACL

Note

In this step we not only attach the filter, but we create the ACL in CLI acl context by calling it with a name ( block_traffic ) that does not yet exist.

Attach the filter using the CLI commands shown in the example below. In this step we:

  • Create and name an ACL.
  • Assign it to a port.
  • Assign an action (DENY).
  • Apply the configuration.
flexswitch(config):acl block_traffic
flexswitch(config-acl):interface fpPort 1
flexswitch(config-acl):action DENY
flexswitch(config-acl):filterName block_port1
flexswitch(config-acl):apply

Applying Config:
id: 6   object: Acl   status: APPLIED CONFIG  valid: True delete: False num user cmds: 4
 command                   attr          value            model attr    iskey    required    userprov    time provisioned
----------------------------------------------------------------------------------------------------------------------------------
 acl block_traffic         acl           block_traffic    AclName       True     X           X           Wed Nov 23 13:18:15 2033
 interface fpPort 1        fpPort        ['1']            IntfList      False    X           X           Wed Nov 23 13:17:39 2033
 action DENY               action        ['DENY']         Action        False    X           X           Wed Nov 23 13:17:58 2033
 filterName block_port1    filterName    block_port1      FilterName    False                X           Wed Nov 23 13:18:23 2033

Port ACL Configuration Using the FlexSwitch REST Interface

This topic describes creating Port ACLs using the FlexSwitch REST interface and cURL.

Creating an ACL Filter

bash-4.3$ curl -sX POST -u admin -d '{"FilterName": "block_port1"}' 'http://localhost:8080/public/v1/config/AclIpv4Filter' | python -m json.tool
Enter host password for user 'admin':
{
    "Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept",
    "Access-Control-Allow-Methods": "POST, GET, OPTIONS, PATCH, DELETE",
    "Access-Control-Allow-Origin": "*",
    "Access-Control-Max_age": "86400",
    "ObjectId": "6e2b9022-b2a9-421b-4778-866d121468fb",
    "Result": "Success"
}

Attach the ACL Filter to an ACL

Note

In this step we not only attach the filter, but we create the ACL to which it is attached.

Attach the filter using the CLI commands shown in the example below. In this step we:

  • Create and name an ACL.
  • Assign it to a port.
  • Assign an action (DENY).
bash-4.3$ curl -sX POST -u admin -d '{"AclName": "block_traffic","IntfList":["fpPort1"],"Action":["DENY"],"FilterName":"block_port1"}' 'http://localhost:8080/public/v1/config/Acl' | python -m json.tool
Enter host password for user 'admin':
{
    "Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept",
    "Access-Control-Allow-Methods": "POST, GET, OPTIONS, PATCH, DELETE",
    "Access-Control-Allow-Origin": "*",
    "Access-Control-Max_age": "86400",
    "ObjectId": "a80290e3-d96d-44e1-5882-94bd1471b422",
    "Result": "Success"
}

Verify the Configuration

Verify that both the filter and the ACL were successfully created.

Verify the Filter

bash-4.3$ curl -sX GET -u admin -d '{}' 'http://localhost:8080/public/v1/config/AclIpv4Filters' | python -m json.tool
Enter host password for user 'admin':
{
    "CurrentMarker": 0,
    "MoreExist": false,
    "NextMarker": 0,
    "ObjCount": 1,
    "Objects": [
        {
            "Object": {
                "DestIp": "",
                "DestMask": "",
                "DstIntf": "0",
                "FilterName": "block_port1",
                "L4DstPort": 0,
                "L4MaxPort": 0,
                "L4MinPort": 0,
                "L4PortMatch": "",
                "L4SrcPort": 0,
                "Proto": "",
                "SourceIp": "",
                "SourceMask": "",
                "SrcIntf": "0"
            },
            "ObjectId": "6e2b9022-b2a9-421b-4778-866d121468fb"
        }
    ]
}

Verify the ACL

bash-4.3$ curl -sX GET -u admin -d '{}' 'http://localhost:8080/public/v1/state/Acls' | python -m json.tool
Enter host password for user 'admin':
{
    "CurrentMarker": 0,
    "MoreExist": false,
    "NextMarker": 0,
    "ObjCount": 1,
    "Objects": [
        {
            "Object": {
                "AclName": "block_traffic",
                "AclType": "IPv4",
                "HitCount": 0,
                "IntfList": [
                    "fpPort1"
                ],
                "Priority": 1,
                "Stage": "IN"
            },
            "ObjectId": "a80290e3-d96d-44e1-5882-94bd1471b422"
        }
    ]
}