Configuring Routed ACLs

This topic describes creating Port ACLs using the FlexSwitch REST interface and cURL.

Routed ACL Configuration Using the FlexSwitch CLI

This topic describes creating Routed ACLs using the FlexSwitch CLI. For more information about the CLI, see Using the CLI.

Direct Connected Switches

In this example we are blocking traffic from a specific subnet. We are working with the same topology above with the addition of a loopback 0 (1.1.1.0/24) on the right switch side. We also created a static route on the flexswitch side to ensure ICMP functions

Creating an ACL Filter

In this step we create an aclipv4Filter using the CLI commands shown below.

In this step we:

  • Create and name an ACL Filter
  • Assign a source IP.
  • Assign a source mask.
  • Apply the configuration.
flexswitch(config):aclipv4filter block_subnet1
flexswitch(config-aclIPv4Filter):srcIp 1.1.1.1
flexswitch(config-aclIPv4Filter):srcMask 255.255.255.255
flexswitch(config-aclIPv4Filter):apply
Applying Config:
id: 2   object: AclIpv4Filter   status: APPLIED CONFIG  valid: True delete: False num user cmds: 5
 command                        attr             value              model attr    iskey    required    userprov    time provisioned
--------------------------------------------------------------------------------------------------------------------------------------------
 aclipv4filter block_subnet1    aclipv4filter    block_subnet1      FilterName    True     X           X           Wed Nov 23 13:33:56 2033
 srcIp 1.1.1.1                  srcIp            1.1.1.1            SourceIp      False                X           Wed Nov 23 13:34:11 2033
 srcMask 255.255.255.255        srcMask          255.255.255.255    SourceMask    False                X           Wed Nov 23 13:34:20 2033

Attach the ACL Filter to an ACL

Note

In this step we not only attach the filter, but we create the ACL in CLI acl context by calling it with a name ( block_loopback ) that does not yet exist.

Attach the filter using the CLI commands shown in the example below. In this step we:

  • Create and name an ACL.
  • Assign the filter created above.
  • Assign an action (DENY).
  • Apply the configuration.
flexswitch(config):acl block_loopback
flexswitch(config-acl):filterName block_subnet1
flexswitch(config-acl):action DENY
flexswitch(config-acl):apply
Applying Config:
id: 2   object: Acl   status: APPLIED CONFIG  valid: True delete: False num user cmds: 3
 command                     attr          value             model attr    iskey    required    userprov    time provisioned
-------------------------------------------------------------------------------------------------------------------------------------
 acl block_loopback          acl           block_loopback    AclName       True     X           X           Wed Nov 23 13:36:24 2033
 filterName block_subnet1    filterName    block_subnet1     FilterName    False                X           Wed Nov 23 13:36:36 2033
 action DENY                 action        ['DENY']          Action        False    X           X           Wed Nov 23 13:36:43 2033

Routed ACL Configuration Using the FlexSwitch REST Interface

Lets add the ACL filter and ACL!

Creating an ACL Filter

bash-4.3$ curl -sX POST -u admin -d '{"FilterName": "block_subnet1", "SourceIp": "1.1.1.1","SourceMask": "255.255.255.255"}' 'http://localhost:8080/public/v1/config/AclIpv4Filter' | python -m json.tool
Enter host password for user 'admin':
{
    "Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept",
    "Access-Control-Allow-Methods": "POST, GET, OPTIONS, PATCH, DELETE",
    "Access-Control-Allow-Origin": "*",
    "Access-Control-Max_age": "86400",
    "ObjectId": "a0220764-81ee-4f38-6e30-ada9a2edad37",
    "Result": "Success"
}

Attach the ACL Filter to an ACL

Note

In this step we not only attach the filter, but we create the ACL to which it is attached.

Attach the filter using the CLI commands shown in the example below. In this step we:

  • Create and name an ACL.
  • Assign it to a port.
  • Assign an action (DENY).
bash-4.3$ curl -sX POST -u admin -d '{"AclName": "block_loopback","Action":["DENY"],"FilterName":"block_subnet1"}' 'http://localhost:8080/public/v1/config/Acl' | python -m json.tool
Enter host password for user 'admin':
{
    "Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept",
    "Access-Control-Allow-Methods": "POST, GET, OPTIONS, PATCH, DELETE",
    "Access-Control-Allow-Origin": "*",
    "Access-Control-Max_age": "86400",
    "ObjectId": "f9efd439-8856-4289-7889-668e1e95d945",
    "Result": "Success"
}

Let's test connectivity!

bash-4.3$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3008ms