Configuring Access Control objects for SNMP

This page describes how to create and configure an Access Control List for use with SNMP Communities. The ACL models associated with this guide are for use only with SNMP. For general use ACLs see the Configuring ACLs page.

For more details about configuration options, see the following pages:

ACL Architecture

Objects in the ACL model have a nested relationship, that relationship is illustrated in the figure below.

ACL Object Relationships

Configuration of the four objects should be accomplished in the following order:

  1. AddressGroup
  2. AccessControlEntry
  3. AccessControlList

Configuring the Address Group

An Address Group of IP addresses. An Address Group may be used to define either sources or destinations.

Attribute Date Type Description Permitted Values
Name [Key] string Address group name
Type string Type of address group SELECTION:IPv4/IPv6/MAC
DEFAULT:IPv4
AddressList string[] List of either ipv4Prefixes or ipv6Prefixes. All prefix strings must match this attribute's 'type'. Cannot mix different type of prefixes within one address group. DEFAULT: []

REST (cURL) Example

config/AddressGroup

curl -k -u <user>:<password> -X POST -H ‘Content-Type: application/json’ –header ‘Accept: application/json’ -d ‘{"Name":"Group10", "AddressList":["192.168.100.243","192.168.100.239"]}’ http://device-management-IP:443/public/v1/config/AddressGroup

JSON Data Model

{
    "Name" : "Group10",
    "Type": "IPv4",
    AddressList":
        ]
            "192.168.100.243","192.168.100.239"
        ]
}

Python Example

from flexswitchV2 import FlexSwitch

name="AddressGroupName"
type="IPv4"
addresslist=["192.168.100.243","192.168.100.239"]

if __name__ == '__main__':
    switchIP := "192.168.56.101"
    swtch = FlexSwitch (switchIP, 443)  # Instantiate object to talk to flexSwitch
    response, error = swtch.createAddressGropu(Name=name, Type=type, AddressList=addresslist)

    if error != None: #Error not being None implies there is some problem
        print error
    else :
    print 'Success'

CLI Example

calhost(config)#addressgroup 243
localhost(config-addressgroup)#AddressList 192.168.100.243
localhost(config-addressgroup)#apply
Applying Config:
id: 1    object: AddressGroup   status: APPLIED CONFIG  valid: True delete: False num user cmds: 2
 command                        attr            value                  model attr     iskey    required    userprov    time provisioned        
------------------------------------------------------------------------------------------------------------------------------------------------
 addressgroup 243               addressgroup    243                    Name           True     X           X           Sun Nov 13 03:02:46 2033
 AddressList 192.168.100.243    AddressList     ['192.168.100.243']    AddressList    False    X           X           Sun Nov 13 03:02:53 2033

sdk:createAddressGroup(243,['192.168.100.243'],Type=IPv4) result: SUCCESS: http status code: 201

Configuring the Access Control Entry

Attribute Date Type Description Permitted Values
Name [Key] string Access Control entry name.
Description string Optional description of the AccessConrtolEnrtry DEFAULT:""
Type string Type of the AccessControlEntry SELECTION:IPv4/IPv6/MAC
Priority uint32 Priority dictates the order in which the AccessControlEntry is applied. Higher priorities will be applied before lower priorities DEFAULT:0
Action string Action can be allow; permit traffic matching the AccessControlEntry, deny; drop the traffic matching the AccessControlEntry, or CopyToCpu;permit traffic matching the AccessControlEntry and send a copy to the cpu. SELECTION: ALLOW/DENY/COPYTOCPU
CpuQueue uint32 CpuQueue to receive traffic when action is COPYToCPU DEFAULT:0
SrcGroupRef string Source AddressGroup object name representing list of IPv4, IPv6, or Mac prefixes. Type of AccessControlEntry must match Type of AddressGroup DEFAULT:""
DstGroupRef string Destination AddressGroup object name representing list of IPv4, IPv6, or Mac prefixes. Type of AccessControlEntry must match Type of AddressGroup DEFAULT:""
FilterRefList string[] List of AccessControlFilter object names to apply protocol and TCP/UDP port filtering DEFAULT:[]

REST (cURL) Example

config

curl -k -u <user>:<password> -X POST -H ‘Content-Type: application/json’ –header ‘Accept: application/json’ -d ‘{"Name":"Ace01", "Action":"ALLOW", "SrcGroupRef":"Group10"}’ http://device-management-IP:443/public/v1/config/AccessControlEntry

JSON Data Model

{
    "Name": "ACE01",
    "Description" :"A description",
    "Type" : "IPv4",
    "Priority" : 0,
    "CpuQueue" : 0,
    "SrcGroupRef" : "Group10",
    "DstGroupRef : "",
    "FilterRefList" : []
}

Python Example

from flexswitchV2 import FlexSwitch

name="ACE01"
action="ALLOW'
srcgroupref="Group10"


if __name__ == '__main__':
    switchIP := "192.168.56.101"
    swtch = FlexSwitch (switchIP, 443)  # Instantiate object to talk to flexSwitch
    response, error = swtch.createAccessControlEntry(Name=name, Action=action, SrcGroupRef=srcgroupref)

    if error != None: #Error not being None implies there is some problem
        print error
    else :
    print 'Success'

CLI Example

localhost(config)#accesscontrolentry 243
localhost(config-accesscontrolentry)#SrcGroupRef 243
localhost(config-accesscontrolentry)#Action ALLOW
localhost(config-accesscontrolentry)#apply
Applying Config:
id: 1    object: AccessControlEntry   status: APPLIED CONFIG  valid: True delete: False num user cmds: 3
 command                   attr                  value    model attr     iskey    required    userprov    time provisioned        
-----------------------------------------------------------------------------------------------------------------------------------
 accesscontrolentry 243    accesscontrolentry    243      Name           True     X           X           Sun Nov 13 03:03:11 2033
 SrcGroupRef 243           SrcGroupRef           243      SrcGroupRef    False                X           Sun Nov 13 03:03:23 2033
 Action ALLOW              Action                ALLOW    Action         False    X           X           Sun Nov 13 03:03:28 2033

sdk:createAccessControlEntry(243,ALLOW,Priority=0,SrcGroupRef=243,DstGroupRef=,CpuQueue=0,Type=IPv4,FilterRefList=None,Description=) result: SUCCESS: http status code: 201

Configuring The Access Control List

Attribute Date Type Description Permitted Values
Name [Key] string Acess Control list name.
Description string Optional description of the AccessConrtolList
Type string Type of the AccessControlList SELECTION:IPv4/IPv6/MAC
EntryRefList string[] List of AccessControlEntry object names. The AccessControlEntry type must match the type attribute of this object. DEFAULT:[]
IntfRefList string List of Port, LAG, or Vlans to apply this AccessControlList DEFAULT:[]
Stage string Apply AccessControlList on IN (ingress) or OUT (egress) SELECTION:IN/OUT
DEFAULT:IN

REST (cURL) Example

config/AccessControlList

curl -k -u <user>:<password> -X POST -H ‘Content-Type: application/json’ –header ‘Accept: application/json’ -d ‘{"Name":"Acl01",  "EntryRefList": ["ACE01"]}’ http://device-management-IP:443/public/v1/config/AccessControlList

JSON Data Model

{
    "Name":"Acl01",
    "Description": "",
    "Type": "IPv4",
    "EntryRefList":[],
    "IntfRefList": "ACE01",
    "Stage": "IN"
}

Python Example

from flexswitchV2 import FlexSwitch

name="Acl01"
entryreflist="ACE01"



if __name__ == '__main__':
    switchIP := "192.168.56.101"
    swtch = FlexSwitch (switchIP, 443)  # Instantiate object to talk to flexSwitch
    response, error = swtch.createAccessControlList(Name=name, EntryRefList=entryreflist)

    if error != None: #Error not being None implies there is some problem
        print error
    else :
    print 'Success'

CLI Example

localhost(config)#accesscontrollist Acl101
localhost(config-accesscontrollist)#EntryRefList ACE01
localhost(config-accesscontrollist)#apply
Applying Config:
id: 1    object: AccessControlList   status: APPLIED CONFIG  valid: True delete: False num user cmds: 2
 command                  attr                 value      model attr      iskey    required    userprov    time provisioned        
------------------------------------------------------------------------------------------------------------------------------------
 accesscontrollist 243    accesscontrollist    Acl01       Name            True     X           X           Sun Nov 13 03:03:40 2033
 EntryRefList 243         EntryRefList         ['ACE01']    EntryRefList    False                X           Sun Nov 13 03:03:42 2033